October 10, 2018
The State (and Future) of Digital Marketplaces
GDPR. It’s one of the hottest terms in the marketing world today, and for good reason. The acronym, which stands for General Data Protection Regulation, is one of the biggest changes to data privacy laws in over a decade.
Approved by the EU Parliament on April 14, 2016, the GDPR goes in force on May 25, 2018. Compared to other legislation, GDPR penalties are much stronger, with fines of up to €20 million or 4% of global annual turnover (whichever is greater) for each violation.
Even if a business isn’t located within the European Union, the GDPR applies as long as a company is processing the personal data of EU residents. In fact, even with information collected before May 25, 2018—if it involves information from a EU citizen—needs to be treated as if GDPR were in effect.
While this regulation is a big topic and can be intimidating, especially if you’re just now thinking about how to respond to the regulations, understanding the basics can go a long way. While Kahuna can’t provide legal advice to our customers, or to anyone else, we can provide you with a high level overview of what to consider with GDPR compliance and how we’re helping clients comply with the law.
Kahuna, trusted by brands such as Carousell, Mudah, Mint, and Skyscanner, and numerous others, to orchestrate personalized messaging has taken numerous steps to comply with laws in the ever-changing data privacy landscape.
From day one, Kahuna has made security a top priority in our software development processes. We’re proud to say that we’ve maintained compliance with numerous data protection regulations and security standards, through a variety of techniques such as conducting third-party penetration tests, undergoing SOC II audits, and partnering with our clients to understand the challenges they face regarding GDPR.
In addition to our ongoing research on GDPR, we’re working with an external security and compliance vendor to aid us in ongoing compliance with the laws and regulations. Rest assured, Kahuna will be compliant with GDPR when the regulation goes into effect on May 25, 2018.
That being said, security and privacy protections are always ongoing. As part of our commitment to being good stewards of our client’s data, we aim to take a proactive stance on these regulations, through ongoing learning and training throughout our organization.
As with most laws and regulations, GDPR brings about a whole new vernacular and terminology that can be difficult to pick up. Below is a high-level overview of the core terminology that applies to most companies.
Under GDPR, the 3 key stakeholders involved with the law include:
The GDPR requires some companies to appoint a Data Protection Officer (DPO) to oversee guidance regarding the organization’s data protection needs, and to ensure the organization is compliant with the regulation. The DPO can be an employee or external consultant.
Under GDPR, the definition of “personal information” goes beyond what used to be known as “personally identifiable information” (PII)—name, address, phone number, etc. Under the new regulations, any piece of information to identify a EU citizen, be it directly or indirectly, is considered personal data.
For example, a person’s ambiguous data such as location information, IP addresses, and even biometric data all fall under the new definition of PII.
While Kahuna doesn’t require sensitive data to deliver our services, our analytics systems use arbitrary unique identifiers to provide accurate analytics data. Technically, this information can be considered “personal data,” and as such we are working to update our systems to support GDPR-related requests our customers might have.
GDPR doesn’t really place specific limitations on the kinds of personal data that an organization can collect. There are special rules around data related to criminal convictions, but that information can only be possessed by national authorities.
Rather, GDPR mandates that organizations show that they’ve implemented what is known as “data protection by design and default,” which indicates protections for personal data are built into the entire organization.
Under GDPR, brands need to show that their information processing falls under one of 6 approved jurisdictions:
In the case of a data breach, data controllers are required to notify the applicable regulatory body and data subjects as soon as possible, or within 72 hours of first learning of a breach. Data processors such as Kahuna are required to notify data controllers after becoming aware of a data breach.
GDPR gives citizens a few new rights over their personal data. While Kahuna is responsible for processing user information, much of the burden of compliance lies on the data controller.
Kahuna is working with an external security and compliance firm to ensure organization-wide compliance on or before May 25, 2018. In addition to conducting our own internal research, Kahuna is working with an external security and compliance vendor to help us comply with the stringent regulations.
As Kahuna’s APIs are not visible to the data subject, it is up to the data controllers to obtain consent.
Under GDPR definitions, clients of Kahuna are controllers and Kahuna is a data processor. As such Kahuna will follow the instructions of clients when it comes to processing personal data. As mentioned earlier, Kahuna offers a collection of APIs to help streamline compliance with GDPR regulations.
Kahuna does not store client data in the EU.
Kahuna already has stringent policies in place to ensure that personal information is kept on a need-to-know basis. The only employees who have access to personal data are ones who need it to support the platform’s operations, comply with applicable regulations, or are directed by clients.
If you have any questions about Kahuna’s compliance with GDPR, please reach out to your Account Manager or contact us at firstname.lastname@example.org.
A Bi-Weekly Newsletter Focused Exclusively on Online Marketplaces