Request a Demo

5 Questions With Matt Bertenthal on GDPR

Medallia: GDPR

We recently sat down with Matt Bertenthal, Senior Privacy Counsel at Medallia, to learn more about the General Data Protection Regulation (GDPR) and what plans Medallia has in place to comply with GDPR’s new requirements.

So Matt, what exactly is GDPR?

GDPR is a law in the European Union that will replace existing data protection laws in all EU countries starting on May 25, 2018. The law requires any company doing business in the EU to demonstrate that they have a lawful basis to handle personal data and adequate processes in place to manage and protect it.
As part of its requirements for data collection and processing, companies need to be accountable for how they safeguard personal information of people in the EU. Because a large portion of Medallia survey programs collect the personal data within the EU, many of our customers will be subject to GDPR.

We know that the protection of personal data has become an ever-increasing hot topic. Can you explain a little about why GDPR is so important, especially in today’s digital age?

In short, GDPR is important because it improves the protection of European privacy rights and clearly outlines what companies that process personal data must do to safeguard these rights. While personal data has been protected by numerous laws across different countries, the laws in the EU have been disparate and have not applied as broadly outside of the EU. GDPR will change that. With newly centralized requirements, increased breadth of application, and higher potential fines, companies are even more focused on how they collect, store, and use personal data.

How will GDPR impact customer experience?

Under GDPR, customers are gaining more control over their relationships with the companies they interact with. They’ll have the right to access, update and remove the data that businesses hold on them. Many companies are embracing this as an opportunity to establish a new level of transparency and trust with their customers, creating an opportunity for companies to make their businesses more customer-centric.

What is the “right to be forgotten”?

The “right to be forgotten,” also called “the right to erasure,” is going to be an important piece of the compliance picture when it comes to GDPR. Essentially, it means that any person residing in the EU will be able to request deletion of their data from corporate databases in a timely fashion. And if that data isn’t removed, the customer has the right to know why.

How does Medallia ensure compliance with GDPR?

That’s a great question. Teams across the company have made GDPR a top priority over the past year. Starting from a foundation of strong security and privacy protections, Medallia has introduced new product functionality to pre-wire our platform for GDPR, and doubled down on security protections. And all of this work isn’t just motivated by GDPR. Securing, deleting and appropriately restricting access to data are critical to providing a good customer experience.
Key compliance features of the Medallia Experience Cloud include:   

  • Automating the “Right to be Forgotten.” We’ve invested in platform-wide product features to automate what we could previously accomplish manually. Personal data in a customer’s program can be catalogued, and a GDPR-compliant deletion of a survey taker or employee’s information can be performed upon request. Our application can then generate reports to substantiate data deletion compliance.
  • Data masking. Personal data in a customer’s program can be viewed only by users with appropriate roles. This allows our customers to have programs that span multiple markets or business units in Europe to unify reporting, while allowing them to limit data access as needed under GDPR.
  • Data Access and Correction. Medallia can provide reports of the data we have collected on an individual survey taker or an employee at the request of our customer. Similarly, we can correct or otherwise modify database records associated with an individual survey taker at the request of our customers.
  • Data Security. Medallia’s security program has long been top notch. Our core platform is the only CEM product that is SOC 2 compliant and ISO 27001 certified. In the past 18 months, Medallia has further invested in security — we doubled the size of our dedicated security team, significantly increased the breadth and depth of security testing monitoring (in combination with internal resources and accredited 3rd party testing), and developed multiple features in our platform to automate the implementation of security features.
  • Contract terms. Our form data processing agreement (DPA) that Medallia offers customers has been updated to specifically address the requirements of GDPR.

Please join our webinar on May 9, “Effective Survey Programs Under GDPR”. You can also learn more about how the Medallia Experience Cloud supports the provisions of GDPR at