GDPR. It’s one of the hottest terms in the marketing world today, and for good reason. The acronym, which stands for General Data Protection Regulation, is one of the biggest changes to data privacy laws in over a decade.
Approved by the EU Parliament on April 14, 2016, the GDPR goes in force on May 25, 2018. Compared to other legislation, GDPR penalties are much stronger, with fines of up to €20 million or 4% of global annual turnover (whichever is greater) for each violation.
Even if a business isn’t located within the European Union, the GDPR applies as long as a company is processing the personal data of EU residents. In fact, even with information collected before May 25, 2018—if it involves information from a EU citizen—needs to be treated as if GDPR were in effect.
While this regulation is a big topic and can be intimidating, especially if you’re just now thinking about how to respond to the regulations, understanding the basics can go a long way. While Kahuna can’t provide legal advice to our customers, or to anyone else, we can provide you with a high level overview of what to consider with GDPR compliance and how we’re helping clients comply with the law.
Kahuna’s take on GDPR
Kahuna, trusted by brands such as Carousell, Mudah, Mint, and Skyscanner, and numerous others, to orchestrate personalized messaging has taken numerous steps to comply with laws in the ever-changing data privacy landscape.
From day one, Kahuna has made security a top priority in our software development processes. We’re proud to say that we’ve maintained compliance with numerous data protection regulations and security standards, through a variety of techniques such as conducting third-party penetration tests, undergoing SOC II audits, and partnering with our clients to understand the challenges they face regarding GDPR.
In addition to our ongoing research on GDPR, we’re working with an external security and compliance vendor to aid us in ongoing compliance with the laws and regulations. Rest assured, Kahuna will be compliant with GDPR when the regulation goes into effect on May 25, 2018.
That being said, security and privacy protections are always ongoing. As part of our commitment to being good stewards of our client’s data, we aim to take a proactive stance on these regulations, through ongoing learning and training throughout our organization.
GDPR terminology and definitions
As with most laws and regulations, GDPR brings about a whole new vernacular and terminology that can be difficult to pick up. Below is a high-level overview of the core terminology that applies to most companies.
Who are the stakeholders?
Under GDPR, the 3 key stakeholders involved with the law include:
- Data subjects: The users of an app are data subjects
- Data controllers: Companies which have an app or website are data controllers
- Data processors: If you have Kahuna’s SDK installed within your application, then Kahuna is a processor of your customer data
What is a data protection officer?
The GDPR requires some companies to appoint a Data Protection Officer (DPO) to oversee guidance regarding the organization’s data protection needs, and to ensure the organization is compliant with the regulation. The DPO can be an employee or external consultant.
A new definition of personal information
Under GDPR, the definition of “personal information” goes beyond what used to be known as “personally identifiable information” (PII)—name, address, phone number, etc. Under the new regulations, any piece of information to identify a EU citizen, be it directly or indirectly, is considered personal data.
For example, a person’s ambiguous data such as location information, IP addresses, and even biometric data all fall under the new definition of PII.
While Kahuna doesn’t require sensitive data to deliver our services, our analytics systems use arbitrary unique identifiers to provide accurate analytics data. Technically, this information can be considered “personal data,” and as such we are working to update our systems to support GDPR-related requests our customers might have.
GDPR Tactical Must-Knows
Are there limits on the types of information that can be collected?
GDPR doesn’t really place specific limitations on the kinds of personal data that an organization can collect. There are special rules around data related to criminal convictions, but that information can only be possessed by national authorities.
Rather, GDPR mandates that organizations show that they’ve implemented what is known as “data protection by design and default,” which indicates protections for personal data are built into the entire organization.
When can your organization process personal data?
Under GDPR, brands need to show that their information processing falls under one of 6 approved jurisdictions:
- Consent: An individual has given informed and explicit consent for their information to be processed. This consent must be obtained using clear and straightforward language.
- Contract: Organizations can process an individual’s personal information if it is required to meet the duties of a contract.
- Legal obligation: Organizations can process personal data in order to comply with applicable laws.
- Vital interests: Where applicable, companies are allowed to possess personal information.
- Public interest: It’s okay to process personal information if processing is in the interest of the general public.
- Legitimate interests: Organizations can possess personal data if it is part of a legitimate business interest.
What happens if a data breach occurs?
In the case of a data breach, data controllers are required to notify the applicable regulatory body and data subjects as soon as possible, or within 72 hours of first learning of a breach. Data processors such as Kahuna are required to notify data controllers after becoming aware of a data breach.
Rights provided by GDPR
GDPR gives citizens a few new rights over their personal data. While Kahuna is responsible for processing user information, much of the burden of compliance lies on the data controller.
- Right to be informed: This right requires the data controller to disclose what data is being collected and for what purpose. This information needs to be accessible and easy to read.
- Right to erasure and right to object: End users have the right to request that their data be deleted and no longer processed. Kahuna provides a flexible User Delete API for our customers to integrate into their processes in several ways.
- Right of access and portability: GDPR provides end users with the right to access and export their personal information. With Kahuna, you can do this with an User Profile API for our customers to request an individual data subject’s profile, campaign, and behavior information.
- Right to rectification: If an end user finds that their personal information is inaccurate or incomplete, GDPR requires companies to provide a way to correct the inaccuracy. Kahuna enables you to fulfill this right with the Event and Attribute APIs.
Kahuna and GDPR: The Facts
When will Kahuna be GDPR compliant?
Kahuna is working with an external security and compliance firm to ensure organization-wide compliance on or before May 25, 2018. In addition to conducting our own internal research, Kahuna is working with an external security and compliance vendor to help us comply with the stringent regulations.
Can clients use Kahuna to obtain the consent required for processing data under GDPR?
As Kahuna’s APIs are not visible to the data subject, it is up to the data controllers to obtain consent.
Is Kahuna a data processor or controller?
Under GDPR definitions, clients of Kahuna are controllers and Kahuna is a data processor. As such Kahuna will follow the instructions of clients when it comes to processing personal data. As mentioned earlier, Kahuna offers a collection of APIs to help streamline compliance with GDPR regulations.
Does Kahuna store data in the EU?
Kahuna does not store client data in the EU.
Will Kahuna be making updates to internal policies to keep personal data from employees who don’t require it for their roles?
Kahuna already has stringent policies in place to ensure that personal information is kept on a need-to-know basis. The only employees who have access to personal data are ones who need it to support the platform’s operations, comply with applicable regulations, or are directed by clients.
If you have any questions about Kahuna’s compliance with GDPR, please reach out to your Account Manager or contact us at email@example.com.