Ready for the next era of sales? Learn about AI-guided selling.

Seismic and GDPR


This overview is intended to provide background information to help better understand GDPR and Seismic’s compliance with these requirements. This overview does not constitute as legal advice for your company to use in complying with EU data privacy laws like the GDPR. This information is not the same as legal advice, where an attorney applies the law to your specific circumstances. This overview is not legal advice or legal recommendations. Please consult an attorney if you require advice on your company’s interpretation of this information or its accuracy.

GDPR Overview


The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify the data protection for all individuals within the European Union (EU). This regulation becomes effective on May 25th, 2018.

GDPR is an enhancement of the 1995 Data Protection Directive. GDPR will replace the Data Protection Directive when it becomes effective. The Directive set out eight data protection principles that govern the treatment of personal data by organizations:

Obtain and process personal data fairly

  • Keep data only for one or more specified lawful purposes
  • Process data only in ways compatible with the purposes for which it was given initially
  • Keep data safe and secure
  • Ensure data is accurate and up-to-date
  • Ensure the data is adequate, relevant, and within scope
  • Retain data no longer than is necessary for the specified purpose or purposes
  • Give a copy of personal data to any individual upon request

What GDPR Governs


GDPR was created to protect EU Data Subjects–any EU citizen located within the EU. Personal data as is covered by GDPR is any information related to a person that can be used to identify the person including, but not limited to:

•  Name
•  Photo
•  Email address
•  Banking information
•  Social media posts
•  Medical information
•  Computer IP address

Individual Rights under GDPR


Individuals affected by the GDPR are given a host of rights when it comes to managing their private data.


The individual must be provided with clear, unambiguous reasons for the collection and use of their personal data. They then must consent, through a statement or clear affirmative action, to the processing of their personal data in the ways that have been clearly stated.

Data Sharing and Deletion

Individuals possess the right to request any of their personal information be delete or the collected information be shared with them. The right to be forgotten requires data controllers to alert downstream recipients of deletion requests. The right to data portability allows data subjects to demand a copy of their data in a common format.

Access Requests

Data subjects are within their rights to request access to the data that is being stored on them. Entities may not charge for processing an access request, unless they are able to demonstrate that the cost will be excessive. The timeline for processing a request for data access is 30 days. Organization may refuse, provided clear policies and procedures are in place. They must also demonstrate why each refused request meets the criteria for refusal.

Supervisory Authority for GDPR


GDPR has removed the inconsistency of having multiple supervisory authorities. Under GDPR there is a “one-stop shop provision,” meaning there is a central authority for handling enforcement of the regulations.

Breaches of data must be reported to this central supervisory authority within 72 hours of learning of the breach. Exceptions are made for encrypted or anonymized data. Breaches that are likely to bring harm to an individual–such as identity theft or breach of confidentiality–must also be reported to the affected individuals.

Internal Requirements for GDPR


GDPR includes provisions for how organizations must store, protect, and manage the data they collect. Organizations are required to build in data privacy by design when developing new systems, to ensure compliance with GDPR. Also of note is the Data Privacy Impact Assessment (DPIA). DPIA is the process of considering the impact a project or initiative might have on privacy. Organizations have an obligation to perform this assessment when designing new technologies, or using existing technologies in new ways.

Some organizations will be required by GDPR to have a Data Privacy Officer (DPO) to help oversee compliance efforts. Organizations required to have a DPO are public authorities, companies whose activities involve the regular and systematic monitoring of data subjects on a large scale, and companies who process what is currently known as sensitive personal data on a large scale.

Ahead of GDPR, Privacy Notices, Statements, Terms of Service, and internal data policies will need to be reviewed for compliance to GDPR.

Scope, Accountability, and Penalties Relating to GDPR



GDPR applies to:

•  Entities within the EU
•  Non-EU businesses who market their products/services to people in the EU
•  Non-EU businesses who monitor the behavior of people in the EU


GDPR requires demonstration of compliance with the supervisory authority. This accountability includes documenting processes and completing training to ensure compliance.


Depending on the violation to the GDPR there are numerous penalties that can be enacted on the offending organization. These penalties can result in significant fines depending on the severity of the violation.

Seismic’s Compliance with GDPR


The Seismic platform complies with all applicable GDPR requirements for a Data Processor. Provided you’re a Seismic customer, the details of the changes made to ensure compliance are hosted on the Seismic Community.

If you're an existing Seismic customer and have questions, please reach out to your Seismic admin and they will get in touch with your customer success manager.

If you have any further questions about Seismic and GDPR compliance, please connect with our team.