Overview of GDPR and DoubleDutch
The European Union will enforce the General Data Protection Regulation (GDPR) starting on May 25, 2018 to strengthen the security and privacy of personal data of E.U. residents. We have been hard at work over the last year building tools and creating processes in accordance to the GDPR. Below we explain our initiatives and methods to ensure compliance with the GDPR for ourselves and for our customers.
- Our Commitment to Privacy and Security
- What Does GDPR Mean for You?
- Data Portability and Management Tools
- International Data Transfers
- Other Resources
1. Our Commitment to Privacy and Security
We’re working across all regions to ensure DoubleDutch’s products and contractual commitments are in line so customers can prepare themselves before May 25, 2018. Measures include – but are not limited to – the following:
• Continued investment in security infrastructure
• Updated contractual terms in place
• Ensure continued support of international data transfers by maintaining our Privacy Shield certification, and by executing Standard Contractual Clauses through our updated Data Processing Addendum
• Product offerings that include processes for data portability and data management
2. What Does GDPR Mean for You?
The Data Controller
GDPR Definition: The term “data controller” means a person or entity that (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.
What does it mean?
The Data Controller is you – the DoubleDutch customer or the event organizer. Whether you are a corporation, event organizer, or an association, etc., you own the data and the responsibility of your customers’ data, regardless of the technology you use to handle it.
The Data Processor
GDPR Definition: The term “data processor”, in relation to personal data, means any person (other than an employee of the data controller) or entity that processes personal data on behalf of the data controller.
“Processing”, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including—collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
What does it mean?
The data processor is DoubleDutch. While both parties must align on compliance, the burden of compliance rests with the controller. To manage this burden, the data controller is responsible for building procedures with their data processor to ensure compliance.
The role of the processor is to assist the controller in this regard, as a controller will often have a GDPR compliance process that involves multiple data processors.
3. Data Portability and Management Tools
To comply with the GDPR requirements pertaining to personally identifiable information (PII) redaction and removal, DoubleDutch has developed processes and internal tooling to accommodate requests.
All GDPR customer requests will be executed within 30 days of receipt. If the individual requests that their data be purged and that data was also shared with third parties (ex. Exhibitors), then those companies will also be notified of the deletion request.
Steps to take for redaction requests:
- A ticket is logged, which issues a confirmation email to the user to verify their identity per the email address on file.
- The user is asked to confirm their identity and specify their privacy request. User requests can be for one or more of the following:
• Record of PII collected
• Correction of PII
• PII deletion
• How PII is being used
To begin (May 25, 2018), event PII data will be purged at 60 days after an event end date (in the future, we will allow organizers to set their own date ranges, up to a max of 18 months).
• One week prior to the purge, an email will be sent to the organizer for the event informing them the data will be removed.
• Organizer data (including login credentials) will not be purged to allow them to continue to access the Content Management System (CMS).
• PII will be purged, but not event data – organizers will still be able to duplicate events in the CMS and access reporting (but with PII redacted).
4. International Data Transfers
These frameworks were created to establish a way for companies to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.
In addition, we offer standard Model Clauses, also known as Standard Contractual Clauses, to meet adequacy and security requirements for our customers who operate in the E.U.