Calm Meditation and Sleep App users may be drifting off to dreamland listening to “Once Upon a GDPR” — a complete reading of the 57,509-word, 209-page General Data Protection Regulation (GDPR). But GDPR is keeping many B2B channel brand and program managers awake at night. GDPR is the backbone of EU and UK privacy and security regulatory compliance. It is also proving to be a significant concern for global channel programs. 

B2B organizations that sell through indirect channels and partner programs in Europe and the UK can certainly take steps to ensure that their own contact lists are fully compliant. But what about their partners? If partners aren’t following the rules, does that undermine a brand’s overarching compliance? Since not adhering to GDPR rules can lead to hefty penalties and fines (we’re talking upwards of $25M), we sat down with Zift’s Director of Product Tim Porterfield to talk frankly about how Zift ensures GDPR compliance for its customers. 


How does Zift ensure GDPR compliance for channel organizations?  

As we protect and maintain over 2 billion points of data for channel programs doing business in the EU, UK and around the world, Zift takes data privacy and security very seriously.  We continually monitor evolving data privacy regulations and analyze our platform to ensure we protect our customers’, their partners’, and their end customers’ data. 

To that end, we have implemented several features in the ZiftONE platform to ensure GDPR compliance. Partners using the Zift platform are required to verify that their contacts have opted in to receive communications and marketing materials. We have a cookie manager that allows end-customers the right to refuse tracking. We also provide a user-friendly path so contacts can easily exercise their right to be forgotten if they choose. 


If a partner uploads their own list of leads or contacts, will the B2B brand or supplier be at risk of non-compliance for GDPR?

In short, no. A little longer answer is “We do everything we can to ensure the partner is accountable for their actions in the platform.” Once a partner has accepted the Terms and Conditions of use for our platform, they have legally taken ownership and responsibility for their data. Brands are not at fault if the partner misuses the tool. We also have steps in place that brands can enable that require verification of contacts opting-in for marketing and communications.

With that being said, no system is perfect and the protections we have in place are only as good as the user saying, “Yes, the contact has opted in.”  Our terms and conditions protect not only our customers but also us as a data processor. The additional confirmation of, “Yes, the contacts on this list I have uploaded have opted in to receive communications from me” is just another small step to ensure the partner has taken full ownership.

On top of all of this, we also have automatic spam and bounce rate rules in place that help ensure end customers receiving communications from our platform are only receiving it from high-quality partners who are not out to game the system. Those who try to play outside the lines will eventually find their ability to use our platform for communication will be removed. But on that same note, those who use it effectively will gain access to more email credits and increase their ability to generate leads and close deals.


What if a partner uploads a contact list that is not GDPR compliant?

During the process of uploading a contact list and leads into ZiftONE, a partner is pointedly asked if the contacts in the list have opted in or not. The answer to this question will determine if we allow the partner to communicate with the contacts on the list through our platform.  

Any contact or end-customer who feels they are on our list without their permission can quickly remove themselves from all or some of the partners who have their data by using the ‘Control My Data’ link located on the Privacy Policy page of the website.  This quick and easy process:

1) Confirms the contact owns the email address with a verification email 

2) Gives limited access to a results page that displays all partners who have their data, and

3) Provides the choice to unsubscribe or anonymize their data from some or all of the results 


How is ZiftONE better than other channel marketing management or partner relationship platforms in supporting and ensuring GDPR compliance?

Not only am I the Director of Product here at Zift, but I am also a consumer. I am very aware of how it feels to end up on a list I never wanted to be on and how hard it is to get your information removed when that happens. If we focus on making sure we respect the end customer and their right to privacy then we are doing more than just being “GDPR compliant.” While we work to protect our customers, their partners, and the privacy rights of every contact added to our system, we do so from that perspective. 

To that end, Zift is GDPR and CCPA compliant. We are subscribed to the EU-U.S. Privacy Shield Framework. We adhere to the Swiss-U.S. Privacy Shield Principles (collectively, the Privacy Shield Principles) for Personal Data received from entities in the European Economic Area (the “EEA”), the United Kingdom (“UK”) and Switzerland.

We are also compliant with SOC2 Type II and have maintained this for 3 consecutive years with clean reports, using “Best Practice” of ISO27001 and the following codes of practice and implement where appropriate:

  • ISO/IEC 27002 – Code of practice for information security controls
  • ISO/IEC 27017 – Code of practice for information security controls based on ISO/IEC 27002 for cloud services
  • ISO/IEC 27018 – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors have been adopted.


Putting all that technical stuff aside, the key thing that ZiftONE does to ensure brands and suppliers remain GDPR compliant is to confirm partners have permission to engage with the contacts they add to the system. We notify targeted end customers that tracking cookies are in use and ask for their permission to track how they engage with our platform and provide a quick, user-friendly way to opt-out of communications and remove their data from contact lists.