What you need to know about Slack GDPR
If you’re wondering what you need to know about Slack GDPR, you’ve come to the right place. In this article, we’re breaking down what GDPR is, what it means for your organization, and everything there is to know about Slack GDPR compliance. Even if you don’t think GDPR applies to your organization, if you’ve adopted Slack — you’ll want to pay attention. Data protection laws are constantly evolving, and GDPR will become more relevant for technologies like Slack that store personal data.
What is GDPR?
Before we get into what you need to know about Slack GDPR, let’s clarify what GDPR actually is. There tends to be an ambiguous, alarming buzz around GDPR that leaves people wondering what it means for their business — but we’re here to set the record straight.
GDPR or General Data Protection Regulation was implemented in the EU in 2018 to give consumers more control and protection over their personal data. Personal data under GDPR constitutes any and all information that can be used to identify an individual including names, job titles, email addresses, location tracking, and more. GDPR was instilled to ensure that businesses are using personal data in ethical ways.
There are many caveats to GDPR that businesses must be aware of. On one front, businesses can’t send marketing emails unless previously agreed upon. They also can’t collect emails for different purposes other than marketing, only to send a marketing email afterward. For example, if an EU citizen previously bought from an e-commerce site, that site may now have that citizen’s information, but it doesn’t give them the right to bombard them with emails.
You know those ‘Accept Cookies’ banners that pop up when you go onto a website? Yet another way GDPR safeguards consumers from misuse of data. These banners are businesses’ way of asking permission to track and store your data.
In the same vein, GDPR grants EU citizens “the right to be forgotten” which forces organizations to erase personal information upon their request. Unless you have a commercial requirement, or “legitimate interest” to retain personal data, you must delete it and never contact the individual again.
If you want to dive deeper into the specifics of GDPR law, you can check out the official documentation here. Now, back to Slack GDPR.
Is Slack GDPR compliant?
The short answer to this question is yes — Slack has been very proactive in complying with GDPR. In Slack’s GDPR commitment, not only do they offer resources to help their customers comply with the law, but they also offer support to individual Slack users to help them understand their rights.
Slack’s GDPR commitment outlines everything from its Privacy Shield Framework to its Data Processing Addendum, which are both critical pieces of GDPR compliance. The privacy shield certification allows Slack to transfer EU citizens’ data to and from the U.S. legally. The data processing addendum (DPA) on the other hand, is a bit more complex. The DPA is essentially a contract between Slack data controllers and data processors that outlines how to properly handle personal information within the platform. This ensures that the purposes for processing personal data are always genuine under GDPR law.
How will Slack GDPR compliance affect my organization?
Instead of asking how Slack GDPR compliance will affect your organization, you should be asking, “How will GDPR, in general, affect my organization?” How Slack adapts to GDPR is only one piece of the puzzle — how your organization adapts is the other. Organizations that hold EU citizens’ personal data need to (1) understand how Slack GDPR works and (2) know how to react if the law comes into play.
For example, if a user exercises their right to be forgotten on Slack, how will you go about doing that? How will you prove their information is erased? These are the questions your compliance team should be asking and making a plan for. These questions become even more pressing in the years to come. Who knows — maybe someday Americans will have the right to be forgotten too. Get your Slack GDPR action plan together now, and you’ll be ahead of the curve for the future.
What tools will help me comply with Slack GDPR?
Slack currently offers a couple of data management tools that help organizations comply with GDPR:
- Import and export tools to retrieve a user’s personal data upon a user’s request or legal obligation. For example, if a former employee wants a copy of the information retained about them, the organization can retrieve that through Slack exports.
- Profile deletion tool to delete users’ personal data.
- Workspace settings center for users to contact the admin who controls the workspace regarding GDPR requests.
The tool most notable Slack GDPR tool is profile deletion as it allows current or past users to request that their personal information be deleted. To do so, Slack users must contact their Workspace Admin. However, if they’re unable to reach their Workspace Admin, they can reach out to Slack directly. For other helpful features, here’s everything you need to know about Slack and Slack eDiscovery.
What personal data will be deleted under Slack GDPR, and what will not?
Given Slack’s dynamic nature, any single user can live within multiple DMs, groups, and both public and private channels. Slack users are collaborating constantly, creating context within channels that may need to be saved for legal purposes.
For this reason, Slack has a “legitimate interest” to keep the activity in their channels — yes, even if it comes from users who wish to be forgotten. If you’re wondering how Slack still meets GDPR standards, the answer is anonymity. Although users’ messages will still live on, no one will have any idea who they came from. Slack makes sure to delete:
- Display name
- Full name
- Profile picture
- Phone numbers
- Email address
- Other profile info in custom fields
After a user’s personal data is deleted, all messages will show up from “@deactivateduser”.
Planning for Slack GDPR
Now that you know all the Slack GDPR basics, you’re probably wondering how to form an effective plan. Being compliant with Slack GDPR basically boils down to two things: finding and/or deleting personal data, and showing a record of what you’ve done with that data.
Therefore, we recommend implementing a system to help you preserve, archive, and search your organization’s Slack data. To retrieve the most defensible data possible, this system will need to integrate directly to Slack’s APIs used for compliance and eDiscovery. Lucky for you, technologies like Onna can help.
And there you have it! Everything you need to know about Slack GDPR. As data privacy laws continue to evolve, we hope our tips help you manage your organization’s data in a proactive way.