3 Replies Latest reply on Nov 29, 2018 11:03 AM by Sanford Whiteman

    Are smart list subscriptions GDPR compliant?

    Kim Gandy

      I have some teammates who use the download feature on weekly smart list subscriptions. Will download these lists of leads be compliant with GDPR secure file sharing?

        • Re: Are smart list subscriptions GDPR compliant?
          Sanford Whiteman

          The GDPR itself does not mandate encryption.

           

          But if your legal team has determined that encryption at rest is part of a good-faith effort to protect private data (with or without GDPR, but with an eye toward smoothing things over with regulators when bad things happen) then making lists available offline on untrusted devices is likely to break that internal contract.

          1 of 1 people found this helpful
            • Re: Are smart list subscriptions GDPR compliant?
              Mark Wallace

              Hello All

               

              I just had a read of this GDPR guide from Marketo

               

              Its says it applies "encryption to all data in transit".

               

              It includes the following

               

              Data Encryption By default, Marketo implements suitable measures to prevent personal data from being read, copied, altered or deleted by unauthorized parties during transmission, applying high grade TLS encryption to all data-in-transit through the use of HTTPS connections to all Marketo instances. In addition, customers have the option to add encryption to data at-rest by storing their data on AES-256 encrypted hardware. Encryption at-rest provides a further safeguard in the case of a data breach, as any data stolen would be illegible and unusable.

               

              Does this mean that the subscription lists are encrypted and only readable by the recipient?

               

              thanks

               

              Mark

                • Re: Are smart list subscriptions GDPR compliant?
                  Sanford Whiteman

                  Nope, because the link is being sent via SMTP, which is inherently insecure (it's a plain-text medium).  This would not be considered end-to-end encryption by any means. Any network that includes plain HTTP (not HTTPS), FTP (not SFTP/FTPS), or SMTP can't be considered "encrypted."

                   

                  Does this mean that the subscription lists are encrypted and only readable by the recipient?

                  Nope. Even if the link to the list were transmitted over a totally secure medium and encrypted at rest on the server, anybody with access to the instance can decrypt the data (it's not per-recipient encryption).

                   

                  Again, your legal department will determine what level of security is necessary but it's vital to state clearly what's being delivered.