Hootsuite and the General Data Protection Regulation (GDPR)
The European data protection law called the General Data Protection Regulation (GDPR) became effective on May 25, 2018 and affects all companies who process personal data of individuals in the EU.
Hootsuite understands that data protection is important to its users. As a Canadian company, Hootsuite is already subject to data protection laws that provide for similar standards as existing European laws. And as a company with millions of users in Europe, Hootsuite is well aware of the need to provide its EU users with services and solutions that will help them meet the EU’s new data protection requirements.
Hootsuite fully welcomes the GDPR and is here to help our users address the GDPR through our robust privacy and security protections. We appreciate that the GDPR requires our users, as data controllers, to engage data processors that deploy appropriate safeguards. Hootsuite has been heavily engaged in preparing for the GDPR. We fully appreciate and recognise the importance of GDPR to our users in the delivery of our services to them.
What is the GDPR?
The GDPR is a new European data protection law which sets out various requirements that became effective on May 25, 2018. It replaces the existing data protection regime for the EU under Directive 95/46/EC, and is intended to harmonise data protection laws throughout the EU by applying a single data protection law that is binding throughout all Member States. Countries outside of the EU, including countries in Asia, are also implementing laws that align with the GDPR.
Who does the GDPR apply to?
The GDPR applies to virtually all organisations that process the “personal data” of EU residents as a result of services offered to them or which monitor them, regardless of whether the organisation physically resides in the EU. Personal data is any information relating to an identified or identifiable natural person.
How does the GDPR apply to Hootsuite and its users?
Hootsuite is a social media management tool that enables its users to bring together their social networks and integrate with hundreds of business applications that they already use, all in one place. Because the content on social media is user-generated, it may at any time contain personal data if users of social media decide to share such information. As a result, the GDPR will apply to both Hootsuite and its users, but in different ways.
The GDPR distinguishes between organisations that are “data controllers” and those that are “data processors”. As explained in our Privacy Notice, Hootsuite is a data processor of content generated, requested or published via its supported social networks. As such, Hootsuite only processes content in accordance with the instructions our users give us through our services. Because our users control how their content is collected and used by them, our users are, in legal terms, the data controllers of the content that they process through our platform. Hootsuite is its users’ data processor of that content.
For more information on the types and categories of data we and our users collect and process, please see our Privacy Notice.
What has Hootsuite done to prepare for the GDPR?
Hootsuite welcomes the GDPR and is committed to strengthening the robust organisational and technical safeguards it already makes available to users. Hootsuite appreciates that the GDPR requires a partnership between Hootsuite and its users in their use of our services. We can confirm that Hootsuite has been heavily engaged in preparing for the GDPR and recognises the importance of GDPR to our users in the delivery of our service to them.
Hootsuite has carried out an in-depth GDPR readiness project across our entire organisation. As part of this project, we analyzed each of our product offerings and our internal policies with a view to becoming GDPR ready. These steps included:
- dedicating full-time resources to privacy, data protection and the GDPR;
- retaining external experts from established consulting firms to assist with Hootsuite’s GDPR readiness efforts;
- conducting an organisation-wide review of all personal data processing activities within Hootsuite to ensure alignment with GDPR requirements;
- creating cross-departmental teams from security, engineering, product and legal to roadmap and ensure any technical or organisational measures required under GDPR are in place; and
- aligning Hootsuite’s existing security framework with the National Institute of Standards and Technology (NIST) security controls, which are aligned with, and appropriate to meet, the GDPR’s Article 32 security requirements.
Is Hootsuite GDPR Ready ?
Yes, as of May 25, 2018 all Hootsuite products and services are GDPR ready. In addition to our own compliance with GDPR principles, we are committed to helping our users in their own compliance with the GDPR in connection with their use of our services. As such, we are making a Data Processing Addendum (DPA) available for all users to sign. Please refer to the DPA section below on how to enter into a DPA with Hootsuite.
Can I enter into a Data Processing Addendum (DPA) with Hootsuite ?
Hootsuite makes available a Data Processing Addendum (DPA) for GDPR. The GDPR DPA and some FAQs are available to all of our users. If you would like to incorporate the GDPR DPA into your existing agreement with Hootsuite, please email us and we will promptly send you Hootsuite’s Data Processing Addendum for you to complete, sign and return to us.
How is Hootsuite different than other social media management services?
Hootsuite is a Canadian company with its head-office located in Vancouver, British Columbia. For the purposes of EU data protection law, Canada is considered a country which provides adequate protections for personal data, as confirmed by the European Commission in Commission Decision 2002/2/EC. Accordingly, unlike some other companies operating in the social media space, Hootsuite already resides in a country with strong data protection laws. In this way, the GDPR is more of an evolution than a revolution for Hootsuite.
What organisational and technical safeguards does Hootsuite already provide to help its users comply with the GDPR?
Hootsuite maintains a continuous high bar for security and compliance. Information regarding Hootsuite’s security practices is available here.