Privacy Cloud FAQ

Updated 

FAQs  

► What is Privacy Cloud?
With the General Data Protection Regulation (GDPR) coming in play in May 2018, Sprinklr created Privacy Cloud to prepare for and meet the new obligations for which these regulations create. Sprinklr’s goal with the Privacy Cloud is to go way beyond simply complying with the GDPR regulations and to set a new gold standard for how to approach the collection and management of personal data from social networks and to provide our customers with a comprehensive toolkit to implement their GDPR programs in a way that will provide complete transparency, governance and control over data management in Sprinklr. This will support the complex Data Protection needs of enterprises globally.
 
► When will Privacy Cloud be available to customers?
The privacy functionality will be available to customers in limited availability as of May 25, 2018.
 
► What does Privacy Cloud consist of?
Privacy Cloud consists of a set of data Subject Rights management functionalities aligned with GDPR:

• Right to Access
• Right to Rectify
• Right to Erase
• Consent Withdrawal
• Privacy Workflows
 
► What is GDPR?
GDPR redefines what is classified as personal data and creates new rights for “data subjects” (i.e. individuals who the data is about) and new obligations for Data Processors (i.e. Sprinklr) and Data Controllers (i.e. Sprinklr’s Customers) to ensure personal data is securely managed and that Data Subject Rights are respected. There are large fines of up to €20m or 4% of annual revenues for non-compliance.
For more information, see GDPR Official FAQ 
 
► What is the problem Sprinklr is trying to solve?
Sprinklr is trying to solve Managing Privacy in a fractured marketing landscape. The combination of complex MarTech/AdTech (or MadTech) stacks with multiple siloed SaaS applications and significant outsourcing of marketing activity to vendors and agencies has created a significant liability for large organizations. On-going risk happens every day when a junior associate at an agency may at any minute post-PII to an open server without the knowledge of the client.

Organizations now face many challenges in relation to the storage and (mis)use of personal data. Any data breach or use of this data without consent or legitimate legal interest to do so creates:

• Compliance risk, including fines up to 4% of annual revenues or €20 million (whichever is greater)
• Reputation risk associated with brands not being seen to respect an individual’s personal data
• Increased costs to put new processes and controls in place to ensure compliance and to service Data Subject Requests
• Increased investment costs to audit existing processes and systems, and to include “security by design” in all systems handling PII data
• Competitive disruption as the technology required to support marketing and customer experience initiatives evolves, with the new privacy regulations making many existing mainstay MadTech technologies and strategies redundant

Enterprises have not created audit trails across this broad mix of applications and suppliers – and as a result, the consumer control of marketing privacy is difficult to implement. Consumers need to be able to

• Disclosure: View all marketing data about themselves in systems controlled by the enterprise; and
• Consent: Consumers have the ability to opt-out of any communications at any time and they must be asked to explicitly opt-in to communications.
 
► What does this mean for Sprinklr's customers?
Sprinklr’s Privacy Cloud creates a single source of truth for marketing privacy. Global enterprises will be able to

• Manage privacy and support compliance including GDPR .
• Install governance through active auditing of partners, clients, and internal users.
• Protect confidential information from security threats and breaches through role-based access and permission controls.
 
► What does this mean for Sprinklr?
Sprinklr acts in the following capabilities to support our enterprise customers:

As a Data Processor
• 
Helping our Clients with data related to their end-users
• Viewing, Editing and Deleting data related to Brand’s Customers.
• Recording all compliance requests executed in the past.
• Issuing Certifications that serve as a record of actions taken.
• Documenting complete data flow in Sprinklr.
• Encrypting data, wherever possible.

As a Data Controller
Maintenance of data related to Sprinklr Platform users
•  Enable our Clients to view, edit and delete the data related to their employees who use the Sprinklr Platform.
 
► How do Privacy Cloud and the product that makes up the cloud work with MARCCS?
Sprinklr Privacy Cloud is already Integrated with other Sprinklr modules which are already installed – Sprinklr can integrate your point- solution MarTech stack and provide a single view of the consumer in a CXM database.
 
► How do customers access Privacy Cloud?
Sprinklr’s Privacy Cloud is provisioned and accessed like all the other MARCC and Social Clouds.
 
► What APIs are currently supported?
• Compliance API
• GDPR API (View, Edit and Delete Consumer Data)
• User API (View, Edit and Delete Employees or Sprinklr users data)
• Will access be provided via the user interface or via API?
• Access will be provided both, by the user interface and via API.
 
► How does manual deletion work?
Companies can request user data manually. Once selected, customers can choose to delete the following types of data:

• All Profile Comments
• All Profile Posts
• All Direct Messages
• All Profile Activities
• All Profile Properties
• Everything
 
► Will pricing be impacted by the introduction to Privacy Cloud? How much does the Privacy Cloud cost?
The basic functionality for Privacy Cloud is free and available for all customers. Sprinklr will be introducing premium products that will be provided at a cost.
 
► How can the data of a particular user from Sprinklr be extracted?
Data can be extracted in a CSV format for a particular profile by giving the unique profile identifier (channel name and ID)
 
► Can I delete a profile when requested by a customer and how can I do that?
Yes, you can delete a profile when requested by a customer. You can do it by manual deletion. See the question on manual deletion for more information.
 
► Where can customers find their ToC and data agreements with Sprinklr?
You can find your ToC and data agreements with Sprinklr link here
 
► What are the steps a Sprinklr account will need to take to obtain the right consent from their end users/customers? How can this information be tracked, updated, deleted ongoing?
The consent for Sprinklr to access social media data is under the T&C’s used agreed by the user when they sign up to the social platform and the settings in their privacy policy. If users choose to share information in the public domain via their social media accounts, Sprinklr customers may access this data without explicit consent under the legitimate interest of marketing under GDPR, provided they only keep the data for as long as is required for this purpose (the Sprinklr Privacy Cloud provides tools to configure data retention policies to meet the brand's needs).

From the Sprinklr side, Sprinklr agrees to the partner T&C’s of the social network, who in-turn approve Sprinklr to have access to this data. Sprinklr encodes the rules to prevent data from being “re-syndicated” to 3rd party systems; in other words transferred out of Sprinklr to an non-approved 3rd party system (note the rules are different for each social platform, as is the data we are able to collect or if we hold their data in our platform). Sprinklr has also updated it’s API access policy and process to include a consulting engagement ensuring brands do not inadvertently transfer data to a 3rd party system in a way that could compromise the T&C’s of the originating Social Network or GDPR compliance.

For the most part, Sprinklr, collects public domain data under the “legitimate interest” of marketing. If you use web tracker data (from the Facebook, Google Analytics, Twitter, pixels etc.), there should also be “consent” as the user will click “accept cookies” as required by the ePrivacy Directive. The customer (data controller) is also in control over if/what data is loaded in Sprinklr beyond the social data above (for example CRM or Marketing Automation data for customer care or advertising use cases) and should ensure appropriate consent is in place. For advertising use cases (Social DMP) Sprinklr provides the option to anonymize data used to create audiences using SHA256 hashing.

Where end users initiate a conversation with a brand via a social channel, consent is implied when the conversation is initiated. If the customer's legal advice requires additional consent to be gained at this point, Sprinklr provides the tools to automate and audit the collection of consent, for example by replying to the Direct Message with a reference to the privacy policy covering how the data will be used and appropriate language to confirm that consent is implied by continuing the conversation (likewise for requests for other personal information such as email or phone number to match to CRM records.
 
► Will training in the form of a webinar or pre-recorded session be provided to users to understand how to use this feature?
Yes - customer and field training will follow in the next weeks.
 
► Is there any additional information on the Privacy Cloud that Success Managers can utilize to reference in conversations with customers concerned about GDPR?
All the requests in Privacy Cloud will be governed by a workflow. To start with, a default workflow will be provided which will need approval from the right stakeholder on customer’s side to process the request. This can be customized as per the brand requirements.