GDPR and how it impacts your RichRelevance Implementation
This page is intended as a helpful overview of GDPR and the key changes being introduced, as well as the steps needed to comply. This is by no means a complete or detailed review of what companies are required to do. For more information on how RichRelevance, as a data processor, can help customers comply with GDPR please contact your account manager.
What is GDPR and why does it matter?
The EU General Data Protection Regulation is a Europe-wide set of data protection laws designed to harmonize data privacy practice across Europe (which previously have been adopted inconsistently). While the regulations apply directly to companies located in the EU, its mandate extends to all that do business in the EU or have customers with EU citizenship, and so potentially could impact any company with an online presence. The emphasis is on protecting citizens and their data and giving users more information about and control over how it’s used. The new regulations are scheduled to take effect May 25 2018.
Why is it necessary?
The widespread use of the internet, technological advances in cloud storage and the advent of social media has changed the way data is processed and transferred. This means the previous rules not only needed to be updated, but needed to be uniform across Europe and applied more rigorously.
Who does it affect?
Anyone person or entity who collects, stores or processes personal data located in the EU or doing business with a citizen of the EU needs to comply with GDPR. (There is some question over the UK after Brexit but it is highly likely the legislation will be similar to GDPR.) There are two distinct entities who need to comply with GDPR regulations:
- Data Controller: the entity that determines the purposes, conditions and means of the processing of personal data
- Data Processor: the entity that processes data on behalf of the Data Controller
What is considered personal data?
Personal data is defined as anything that can be used to directly or indirectly identify the person – for example names, photos, email addresses, bank details, social posts, medical information or IP addresses.
Key changes brought in by GDPR
Nominated Owner (Data Protection Officer)
A director within the data controller or data processor needs to be appointed to be accountable for data protection. This person has to be suitably competent to handle the technicalities involved. It is worth considering where the accountability should fall – with IT, legal, marketing or elsewhere.
Explicit opt in
When collecting personal data, data controllers need to ensure that each individual explicitly consents with an affirmative action (NOT an opt out) and that a record of how, when, and where the consent was consummated is retained.
Right to be forgotten
Under the new regulations, a user has the right to be forgotten. They can request that all the data which is held on them is permanently deleted or anonymized if deletion is not possible.
The onus in on companies to use plain language to explain what data is being held, how long it is being held for and how a user is able to withdraw their consent.
As people become more aware of their data privacy rights, there is likely to be an increased number of queries on the data being held on them, which companies will need to respond to without delay.
Data controllers need to be able to tell a person, what data is held on them, what it is used for (why), how it was obtained and for how long. GDPR requires companies to provide notice to website visitors regarding (among other things) the use of tracking technologies.
- Appoint a responsible director for data protection.
- Ensure all service providers used to process data comply with GDPR standards.
- Ensure customers, clients or website users have explicitly consented to their data being stored. Records need to prove that users have agreed to their data being stored and failing to disagree is not enough.
- Have the capacity to permanently erase (or anonymize) a user from records on request.
- Check the terminology of privacy documentation to ensure it is using understandable language.
- Update notices to website visitors to include information on the use of tracking technologies, the use of third-party service providers with whom their data may be shared, how to opt out of such data processing and the consequences of doing so.
RichRelevance, GDPR Compliant by Design
GDPR encourages businesses to use anonymization technology when possible to avoid the processing of personal data. In providing its services, RichRelevance uses an anonymous identifier that does not store shoppers’ personally identifiable information (PII). This identifier isn’t connected to an individual’s personal data, and so would not typically be considered personal data under the definition provided in the GDPR.
In the normal course of operation, RichRelevance has no ability to connect such identifiers back to any of the personal data held by our customer about that individual shopper. Thus, when our customers transmit a website visitor’s anonymous identifier to the RichRelevance personalization service, it is doing so in a manner that prevents RichRelevance from having any ability to know who the user is.
As a Data Processor RichRelevance is required to process data in strict accordance with the instructions provided by the Data Controller, our customer. Our use of the data is strictly limited and our role is to act only as directed by the Controller and to provide assistance to the Controller in executing their responsibilities under the GDPR, including producing data when requested. RichRelevance is committed to assisting our customers in addressing access requests and will work to locate, whenever possible, all data necessary to honor the rights of data subjects in a timely fashion.
GDPR requires all personal information is processed with the appropriate security. As noted above, while RichRelevance doesn’t typically process or hold personal data for our customers, we of course still have state-of-the-art data centre facilities with stringent access controls and monitoring including the protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage.