What is the GDPR?

The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organizations who collect or process personal data. It will come into force on 25th May 2018. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.

The full text of the GDPR can be found here.

What is the difference between a data processor and a data controller?

According to Article 4 of the EU GDPR, different roles are identified as indicated below:

  • Controller (vNative’s Clients) – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
  • Processor ( vNative ) – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller

Our Commitment toward GDPR

We are fully committed to upholding the privacy and rights of our customers and their customers. The essence of the GDPR is in direct alignment with our core values of customer trust and data privacy. With that in mind, we are actively working toward defining our roadmap for GDPR to overhaul our systems and processes in accordance with the standards. We are committed to achieving GDPR compliance well before the May 25, 2018 deadline.

Collection of Personal Data

We enable our users at the account level to opt-in for real-time IP masking and unique Device ID blanking for all EU countries.

  • IP Masking (hide the last octet of the IP with ZERO ) within the platform to include all EU countries.
  • Device ID Masking will replace the last two digit as ZERO of any incoming values from these macros.

Data Collection and Retention Policies:

With data minimization principles in mind, we’ve made the following changes:

  • IP addresses and the Device IDs will have a default 90-days rolling retention.
  • All log-level reporting will have a 6-month rolling retention period.
  • Note: these retention window changes will only impact the Conversion Report and Click Logs. All Stats Report queries will still be available beyond these retention windows, though Affiliate Sub Id’s p1-p10 or Source stats queries are available for 18 months.

A deletion policy, record of processing activities.

All these are required by articles 17, 30 and art. 32 para. 4 GDPR. This includes, for example, measures like:

  • Physical access control – Our physical data centers are secure. Security measures include having security officers onsite, monitoring and alarm systems, video/CCTV monitors and much more. No person, not even a member of vNative, has self-determined access to the servers.
  • Data access, usage and transmission controls – Tools in place to protect unauthorized access, usage or transmission of data.
  • Separation rule – To keep data private and secure we ensure that any information collected for different purposes is separate during processing. This extends to test systems and production systems as well.
  • Pseudonymization – any data is hashed as early as possible. The processing of personal data happens in a way that the data can no longer be assigned to a specific data subject without additional information being provided.
  • Availability control and rapid recoverability – frequent backups protect all stored data against loss. vNative creates continuous backups, which are also transferred to a remote site. With this, vNative can restore data if lost.
  • Incident response management – if data is lost we inform those affected immediately.

How can you Prepare for GDPR Today?

Below are six steps you can take to prepare your team and your company for the GDPR deadline.

1) Create Awareness

 Get management buy-in and create awareness. Make sure all necessary stakeholders are involved in ensuring your organization is ready and knowledgeable about its GDPR obligations.

2) Run a Data Audit

You need to figure out what personal data you already hold in the databases- how you collect, use, and store personal data. Update your external notices to end users and partners on how you will use their data.

3) Develop the Consent Management 

You need to explain your users very clearly why you are collecting their information, how it will be used and ideally, how long you’ll keep their data for.  If you’re sharing their details with sponsors and exhibitors, then you need to name those organizations.

4) Get to Know Your User’s Rights

Don’t forget that GDPR is all about giving individuals more control over the use of their personal information. Check all the rights here.

5) Prepare for a Data Breach 

This is really key because it is essentially what can get your organization into a lot of trouble if it’s not complying with GDPR. GDPR requires all organisations to report data breaches to the ICO or other such authority if it’s likely to result in a risk to the rights and freedom of individuals

6) Keep the Data Safe. 

GDPR definitely puts security more front of mind when it comes to your event data. You’ll need to show that you’re doing your best to protect the personal information of individuals to minimize the chances of it getting into the wrong hands.

We offer Data Processing Agreements for all vNative clients and partners that process personal data in the EU, available here. We updated our Terms and Conditions and Privacy Policy as well.