The European Union’s General Data Protection Regulation (GDPR) is slated to go into effect starting on May 25, 2018. This new regulation builds on previous EU efforts to strengthen the security and protection of the personal data of EU residents, and is billed as the “the most important change in data privacy regulation in 20 years”. If you are a EU based business, or even a global business with consumer footprint in the EU, you need to take steps to be compliant with the new regulation.
Blueshift is committed to being ready for the GDPR well before the May 25th timeline. This is a continuation of our previous and current efforts to handle EU data in a way that complies with the current regulations (including our participation in the Privacy Shield Framework).
Not only will Blueshift be ready for GDPR, we are also making tools available for you to comply with GDPR. Specifically, we will support our customers in two ways:
- We will provide an updated Data Processing Agreement (DPA) that reflects the requirements of the GDPR and ensures compliant data transfer with storage outside the EU
- We will offer new product capabilities to help you be compliant when your end-customers plan to exercise their rights around accessing the data and to be “forgotten”.
Compared to previous regulations, GDPR imposes more stringent requirements on businesses. For instance, under GDPR, end-customers (“data subjects”) have the following rights:
- Right to Access: Provide end-customers (“data subjects”) the right to review & correct their data.
- Right to be forgotten: Enable customers the ability to request your business to erase all (or some) of their data.
- Data Portability: Enable customers to take their own data elsewhere, by providing a copy in a commonly used and machine readable format.
A more detailed list of rights can be found here.
GDPR imposes a set of requirements on Data Controllers (i.e. entities that track or monitor EU residents and decide why and how data is collected and processed), as well as on Data Processors (entities that process data on behalf of Data Controllers).
Failure to meet the requirements can result in penalties of up to 4% of annual global turnover or €20 Million (whichever is greater). Further, the regulations apply to all companies processing the personal data of EU subjects, regardless of the company’s location.
How We Plan to be GDPR Compliant
As our customer, you are likely to be a Data Controller, and one of your requirements is to only work with compliant Data Processors.
We plan to be compliant with GDPR by taking the following measures:
- Updated Data Processing Agreement (DPA): We plan to roll out an updated DPA for our customers, reflecting the additional requirements of GDPR
- Secure data transfer and storage outside the EU: Transfers of personal data outside the European Economic Area (EEA) are permitted if certain safeguards are in place. Our new DPA contains the EU Model Clauses, which are industry standard for data safety. This means that Blueshift agrees to protect any data originating from the EEA in line with European data protection standards.
- Technical and organizational security measures: Blueshift takes a holistic approach to security, including measures built into our product as well as organizational measures. Some of the measures we take include securing your data in transit and at rest, restricting and securing data access, providing continuous incident monitoring, performing regular vulnerability testing, and conducting regular security training. We also participate in Truste’s Privacy Certification Program.
- Processing the data in accordance with Data Controller instructions: As has always been the case, we only process personal data according to instructions from the controller (our customers).
- Prompt breach notifications: In line with our current policies, Blueshift will promptly inform you of any incidents involving your users’ personal data.
Helping you achieve compliance
In addition to ensuring that Blueshift is compliant with GDPR, we are also rolling out new capabilities that help you achieve compliance as a Data Controller. Some of the rights available to EU Residents as Data Subjects are hard for Data Controllers to manage, due to the limitations of certain systems. Specifically, it is hard for most businesses to implement processes that ensure the right to erasure (the right to be forgotten), the right to object, and the right to restrict processing.
Our customers use Blueshift to unify their customer data (along with deriving customer insights on the data, and finally activating the data and insights through cross-channel campaigns). Because of this, we are in a unique position to help you achieve compliance with GDPR.
We plan to roll out the following enhancement in our product before May 25 that are geared towards helping you a Data Controller:
- Deletion and automatic suppression: We are adding a /delete endpoint to our existing user API. Issuing this call for a given userId ensures that all personal data related to the userId is deleted from the index of customer data that Blueshift maintains for you, and any future data related to the userId is also suppressed from the index. As a result, the data will not make its way to any marketing action in Blueshift.
- CSV Export of End-Customer Data: You can use the segment export functionality in Blueshift to download user data in CSV format. Under the GDPR, EU residents have a right to access their personal data and are entitled to obtain their personal data in a commonly used format, such as a CSV file.
- Update (Rectify) End-Customer Data using API or CSV: The GDPR also empowers individuals to correct any personal data that is deemed inaccurate or incomplete. You can rectify user data in 2 ways:
Regulations like GDPR are an important step in making sure that businesses treat customers with respect. GDPR’s guidelines around consent will force every brand to start valuing first party customer data, where the customer has explicitly opted in not only to the collection of the data, but also to the use of the data in marketing. Respectful use of customer data will be critical to delivering delightful brand experiences, and building trust with consumers.