How to apply GDPR to your channel partner program
We asked our Strategic Advisors how they solved this thorny problem about applying the new GDPR regulations from the EU to their channel partner program. Here’s what they said.
Jake Wallace, AWeber
Love this answer? Connect with Jake to talk through your channel program.
We started to asking our integration partners to provide a link to their privacy policy. That way if there is a need to have it, we have it on hand. We’re not doing anything with it other than having it handy in an event we do indeed need it as a quick reference.
Stéphane Donzé, AODocs
Love this answer? Connect with Stéphane to talk through your channel program.
First, to clarify the responsibilities: when a channel partner registers a lead with an ISV, the channel partner is sharing personal information that is under their responsibility with a third party (the ISV).
To use the technical terms of GDPR, with respect to the personal information shared during the registration of the lead, the channel partner is the “data controller”, and the ISV is a “data processor”.
From the point of view of the GDPR, the channel partner is the entity responsible for protecting the information they share with the ISV, even after the information has been shared.
What does it mean in practice?
Before registering the lead and sharing the information, the channel partner must ensure that they have a proper confidentiality agreement in place with the ISV. Make sure your reseller and referral agreements have these non-disclosure provisions in them.
The information registered by the partner remains “controlled” by the partner, even after the registration. Under GDPR, the partner can ask you (the ISV) at any time to update or delete this information. By law, you have to comply with their instructions since they are the data controller.
This means that you need to make sure you store this information in a properly managed repository / database, allowing you to easily update or remove the data when requested to do so.
Last but not least, you cannot use the information shared by your partner for other purposes than what it has been shared with you for (i.e. closing the deal). This means you cannot automatically add the registered lead to your prospect lists or other marketing lists, without collecting an “explicit consent” from the channel partner or from the people corresponding to the contact information you have received.