UPDATE: Our GDPR solution, AddShoppers Vault™, is live! Read more here.
At AddShoppers, we're advocates of consumer data privacy and take it seriously. Allowing end users to know what's being collected, why, and giving data ownership back to them if they so desire is vital to the health of the 'madtech' ecosystem long term. GDPR is the result of the "free internet" as we know it today. Consumers have realized that if the product is free -- they're the product -- and they're not happy about it. Below we'll break down what this means for marketers and how AddShoppers will be updated to make this regulation effortless for our clients.
What is GDPR?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect, it will replace the 1995 Data Protection Directive (Directive 95/46/EC).
It was adopted on 27 April 2016. It becomes enforceable from 25 May 2018, after a two-year transition period.
What does the GDPR require?
Data Storage - All PII information will be stored in separate collections/tables and linked together via a unique user key, this key can be revoked and all PII associated with that key will be replaced or erased.
Logging - Logs that may contain PII information will be split into two logs -- one with full request including PII info and another with PII info stripped.
Regional Restriction - Via GeoIP, if a site would like to avoid any PII collection from European countries this will be available as a per site setting. The site owner or admin will be able to flag if they don’t want to collect any PII information for European sites and PII info that tries to come through the system from a European IP will be automatically flagged and discarded.
Right to Halt Data Processing - Similar to the regional restrictions, we will flag a user/key instead of the site and if a user/key has the halt flag on them we will throw away PII before it hits database storage.
Right to Access - We will send a confirmation email to the email associated with the request to confirm the user’s identity. Once confirmed, we will email them another one time use link that will allow them to view their personal data we have stored on our platform.
Data Portability - Similar to Right to Access, after a user is confirmed as the requesting user we will setup a portal for them to control all of their data. The GDPR document states that where technologically feasible the user has the right to transfer their data to another system or service. We will provide a data dump in the form of a .csv that the user can do with as they wish.
Right to be Forgotten - Similar to Right to Access, we will send a confirmation email to the user making the request and once confirmed they will get a link that has a multi-step confirmation process for deleting their data. We will review all of these requests and revoke their key / wipe their PII within 48 hours.
Right to be Informed - We will provide a portal for clients to add to their site which will detail the types of PII that may be collected and what it will be used for. We will also provide APIs into our data for third-party privacy management centers such as Evidon and OneTrust.
Breach Notification - Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
What else will GDPR include?
Only show “Data Preferences bar” to EU IPs
1 click unsubscribe
Logging of when consent was given and where
Logging of number of network opt-ins / opt-outs
You may have to repermission emails in Europe: https://litmus.com/blog/5-things-you-must-know-about-email-consent-under-gdpr
Emails regarding data will be sent from: firstname.lastname@example.org
APIs will be made available in case client has their own GDPR center to plug in our data.
Data Export is only for ‘self reported’ PII, not behavioral.
AddShoppers GDPR compliance for Controllers will launch ahead of the May 25, 2018 deadline. Below is a mockup of how the consumer landing page will look: