Is CoPilot GDPR compliant?

  • 4
  • Question
  • Updated 6 months ago
  • (Edited)
Our company currently uses Co-Pilot quite regularly and there's some been questions lately if this type of functionality (1 to many communication) is GDPR/ CASL compliant. Is anyone else having these conversations in their org and/or does Gainsight have any more info I can share with our legal team? 
Photo of Alicia Taggio

Alicia Taggio

  • 100 Points 100 badge 2x thumb

Posted 6 months ago

  • 4
Photo of Ben

Ben, Champion

  • 8,076 Points 5k badge 2x thumb
Hey Alicia!

We have had many conversations in this regard. GDPR is an immensely detailed conversation and not exactly one I can comfortable exhaust here. However, I can touch on what I know to be the main points.

If you are using CoPilot to contact customers*, and you allow them to Opt-Out of non-Operational communications, and you honor those Opt-Outs, then you should be just fine. You should also have a workflow in place to delete Contact records for any EU citizen, or employee of an EU business regardless of if the employee lives in the EU. In short, this sort of workflow would have you covered.

*A customer in this case is defined as a person or entity that has, on their own volition, acquired a product or service from your organization. This type of company - customer connection is classified as "Legitimate Interest" and gives you (the company) a pretty big umbrella of safety to operate under.  You do still have to live by the rules I mention above, but otherwise, you're set.

Where things get a lot more difficult is pre-sale. My teams live exclusively post-Sale (i.e. customer and "Legitimate Interest"), so I cannot speak in detail about that. I do know that our Marketing and Sales teams are collaborating extensively to ensure we meet GDPR on that end as well. 

Hopefully this helps! Happy to talk about it further and interested to hear other stories from our peers.

Photo of Denise Stokowski

Denise Stokowski, Official Rep

  • 12,290 Points 10k badge 2x thumb
Also as a processor of your information through Gainsight - Gainsight is taking the actions (including customer DPAs - Data processing addendums) to ensure we are a GDPR compliant processor