The General Data Protection Regulation (GDPR) comes into effect on 25th May 2018.
The regulations are aimed at harmonising the different privacy and data protection laws present within different member states of the European Economic Area (EEA). They also provide more rights for individuals in relation to their ability to access and control personal data that you collect and store about them.
The GDPR applies to all businesses processing personal data of people within the EEA, even if you’re business is located outside of the EEA. It will become law in the United Kingdom before it’s withdrawal from the United Kingdom, and so still applies to businesses within the UK.
The European Union has published information about The GDPR on a website available at https://www.eugdpr.org.
Our platform will be compliant when The GDPR takes effect on the 25th May 2018.
We advise all our users to be “GDPR Ready” in time for the regulation’s implementation.
The guidance listed below should not be taken to constitute legal advice. You should consult a legal professional to find out how, and to what extent, The GDPR will apply to your business.
Consent from your customers for you to collect and process their data
Under The GDPR you may need to obtain consent to process the personal data of your customers. Or, if already obtaining consent, you may need to change how you currently obtain that consent.
The GDPR says that consent must be given freely and specifically for the purposes for which you intend to process the data provided.
Consent must be informed and unambiguous.
For example, if you use retargeting apps or techniques to attract customers back to your website, you may need to consider what data about customer’s you process as part of this retargeting process and whether you need to obtain a greater degree of consent from your customers’ in order to use their data when doing so.
For the processing of data to be lawful under The GDPR you need to identify a lawful basis for doing so.
The storage of your customers’ data
As a user of our platform, you will use our services to collect and store data about your customer’s and website visitors.
All information we store and process on your behalf, about your customers, is held on servers hosted with Amazon Web Services (AWS). We do not store data on any devices, internal databases or networks outside of AWS.
The security of your customers’ data
All data stored on our platform is encrypted whilst ‘at rest’ and ‘in flight’, i.e. when stored on our servers the data is encrypted, and we use encryption when allowing you to access the data through your account or downloading information to your computer (e.g a download of customers).
Any data processed by our platform is processed in a manner which ensures its security.
Access by our team is restricted on a ‘need to know’ basis, and all access is logged by our internal systems.
Because data is not stored on networks or devices outside of AWS, our exposure to accidental loss, destruction or damage or unauthorised or unlawful processing is limited.
Any data transferred between devices in the network is transferred in an encrypted state.
The transfer of data outside of the EEA
At the present time, no data is transferred by our systems outside of the EEA except where you use a device located outside of the EEA to access that data.
Breaches of your customers’ data
The GDPR introduces a duty on all organisations to report certain types of data breaches to the relevant supervisory authority.
In certain circumstances, the organisation will also have a duty to report the breach to the individual(s) affected.
A breach is more than just the loss of data, it also includes destruction, alteration, unauthorised access or disclosure of personal data.
If there is a breach of personal data on our platform we will notify the relevant regulatory authority within the regulatory requirement of 72 hours after we first become aware of it.
If the data of your customers is, or might have been, affected, we will notify you within 48 hours. The GDPR will likely also place a legal requirement on you to also report the breach. We will provide you with the necessary details in order for you to report the breach within your own 72 hour time limit.
The GDPR allows for organisations to provide information to the supervisory authority in stages, where necessary (a full investigation of the breach can take some time). As we make our own updates we will notify you.
You should familiarise yourself with these requirements now and implement a process for dealing with a data breach that originates from our platform and also your other systems on which you store or process personal data.
Appointing a Data Protection Officer (DPO)
A DPO should be appointed to oversee how your organisation collects and processes personal data. The GDPR introduces specific tasks that a DPO is responsible for, including conducting data protection impact assessments when your organisation changes how it collects and processes personal data.
You should consider whether it’s appropriate to appoint a DPO to advise you on your compliance with the GDPR.
If preparing your own documentation with relation to compliance with the GDPR and require our assistance in relation to the storage and processing of your customer’s data on our platform please contact us.
Please Note: Our team are not able to complete documentation on your behalf, or complete questionnaires about data storage and processing. If you have a question about how your compliance with the GDPR is impacted by your use of our platform it must, for legal reasons, be submitted in writing.
Unfortunately, at the present time, we’re not able to answer questions about GDPR compliance over the phone.
Data we hold about you, as our customer
As our customer, we also store and process data about you.
As well as storing and processing this data on our platform, on AWS, we also store and process this data on our own internal devices and networks. Data we hold about you is encrypted whilst being stored and whilst in transit between devices.
Access to data we hold about you is restricted on a need to know basis.
More about GDPR and our platform