GDPR, CCPA, PIPEDA-- so many data protection and privacy regulations, how do you keep up? Even if your organization is based outside of the EU, California, or Canada, you should ensure you are in compliance when all visitors come to your site.
About GDPR Compliance
GDPR, or the General Data Protection Regulation, is a set of rules and regulations that established certain new protections for the personal data of EU residents and new responsibilities for keepers of such data.
Note: Due to GDPR restrictions, Feathr cannot run Geofencing or Historical Geofencing campaigns to locations or devices within the EU.
Even if your audience is not primarily from the EU, GDPR is a good future-proofing protocol. Here is the process to follow in order to achieve data regulation compliance while using Feathr.
- Data Protection Addendum: sign a standard Data Protection Addendum (DPA) that establishes a legal basis and requirement for Feathr's compliance as a Data Processor under GDPR. Feathr's DPA is available to view, download, and sign here.
- Ensure consent management: GDPR requires that you make sincere effort to gather explicit consent for the data you collect and each enumerated use of those data. For web-tracking this is now done with the use of a Consent Management Platform (CMP). Verify that your CMP is compliant with the IAB Technical Specifications for GDPR Transparency and Consent Frameworks.
- GDPR Individual Data Rights: GDPR requires that you provide your data subjects (website visitors, users, etc.) the ability to view and manage the data that you store for them. See https://www.feathr.co/privacy-policy for information about how your data subjects access their GDPR data rights in collaboration with Feathr.
In addition to the steps outlined above, here are some things you can do to in order to ensure compliance with GDPR, particularly within the context of your usage of Feathr.
- Use GDPR principles as a guide for all your data handling. There’s no need to treat EU and US (and other countries’) residents differently, as it will become an unsustainable headache. GDPR is an excellent guideline to determine best practices and future-proof data services.
- Perform an audit of all your data partners. That’s any processor, vendor, platform, or tech partner you use that holds or has access to your user data. These partners, like we do at Feathr, should be taking on the majority of the GDPR compliance burden. The first and most important step to take with your data partners is to document your intent to comply with GDPR. Draft a contract or an addendum to an existing contract that explicitly communicates a commitment to comply with GDPR. Note: we are not lawyers and this is not legal advice. Please review any steps listed in this article with your organization’s counsel.
- Have an access plan. Document a plan for or with each data partner for how you (or they) will respond to new subject access requests enacted by GDPR. The new data rights (listed in the ICO link above) require organizations to respond to certain requests, and you need a plan in place for each.
- Know where to direct data subjects. Each data partner should have a process and web-based location where data subjects can go to submit requests. Usually a web page or a portal, you and your data partners must be able to provide request opportunities for every user. Speak to your data partners individually about how and where they handle such requests.
- Gather explicit consent. To remove uncertainty, add checkboxes to any forms with which your users interact that permits explicit agreement with data regulations, or “opt-ins.” An example of this would be a checkbox at the bottom of an event registration form that reads “I understand and agree that a meeting planner will have my contact details for the purpose of planning meetings (such hotels accommodations, transportation, activities, etc.). Please note that if this box is not checked, then we are unable to secure your logistics for attendance at the meeting.”
- Perform an audit of all your email lists. To be sure you are in compliance with data protection laws, only use lists of email addresses that have actively consented to receive email from your organization. Failing to do so can cause high bounce rates and may result in having email marketing campaign privileges revoked.
- Update your privacy policies. Be clear about what data you're collecting, why you ask for it, and what you do with it. Notify your users of updated privacy policies through email, website popups, or whatever means is most efficient for your business.
- Assign a Data Protection Officer. In almost all cases this will be a role that is required to be identified in your organization. Thankfully, the person in this role doesn’t need to be an international data privacy lawyer or a network security expert. It just needs to be someone who can manage the documentation and process around data requests and follow up on some finer points.
- Consider self-certifying under EU-US Privacy Shield. This is important if your organization directly stores and transacts data, has a custom-built data platform, or an on-site deployed AMS, email system, or database. For more information, check out the Privacy Shield website here: https://www.privacyshield.gov/PrivacyShield/ApplyNow. It will substantially simplify the legal basis and ability you have to transfer EU data out of the EU.