GENERAL DATA PROTECTION REGULATION READINESS
On May 25, 2018, the European Commission’s General Data Protection Regulation (GDPR) went into effect. The regulation is designed to give EU citizens greater control over their personal data and contains significant changes to European data privacy legislation that affects any company offering goods or services to EU citizens, as well as companies who process their personal data.
At Dynamic Signal, our customers can trust that we have and will continue to make GDPR compliance a priority. We have developed accountability and other measures within our organization to demonstrate that the Dynamic Signal platform is GDPR-ready, and we will continue to devote significant effort and resources to maintain this readiness for the future. Below describes what GDPR is, and what Dynamic Signal has done to demonstrate GDPR readiness.
What is GDPR?
The GDPR is an EU comprehensive data protection law that strengthens personal data protections in a time of continuous and rapid technological developments, increased globalization and cross-border flows of personal data. It replaces the individual national data protection laws in EU member states with a single set of regulations that is enforceable throughout the EU.
What does GDPR regulate?
GDPR regulates the “processing” of data for EU individuals – including collection, tracking, storage, transfer or use. Any organization that processes personal data of EU individuals is responsible to comply with GDPR regardless of whether or not the organization has a physical presence in the EU. GDPR expands the definition of “personal data” broadly and covers any information related to an identified or identifiable individual (a “data subject” in the regulation).
How does GDPR change privacy rights?
GDPR changed privacy rights in the following ways (summary, not exhaustive):
- Details expanded privacy rights for EU individuals including data breach notifications and additional security requirements for organizations
- New customer profiling and monitoring requirements
- Up to 20M Euros or 4% global revenue fine for organizations that fail to adhere to GDPR compliance obligations
- Establishes a central point of enforcement through supervisory authorities appointed in each country coordinated by the European Data Protection Board
- Privacy Shield – As of July 2020, Privacy Shield has been deemed invalid by the EU courts. As such, Dynamic Signal is no longer certified to Privacy Shield. Dynamic Signal continues to apply the Privacy Shield Principles to the personal information that we received while participating in the Privacy Shield.
- Data Privacy Impact Assessments (DPIAs) – We completed and will continue to assess the DPIA for our platform, and are evaluating other internal processes for the need to conduct DPIAs related to product enhancements.
- Data Security – Dynamic Signal is continuing to enhance policies and procedures to help minimize risks of improper use or protection of personal data, including information security, incident response and disaster recovery plans.
- Data Subject Rights – We developed and will continue to enhance policies and procedures so Dynamic Signal, and our customers, can extend rights of access, erasure, portability, right to be forgotten, and similar privacy rights where required to data subjects. For example, we developed new procedures to handle Article 12 data subject requests and a process for the deletion and anonymization of personal data to legitimate requests for erasure.
- Vendor Compliance Maintenance – We are enhancing procedures and supporting documentation to assess vendors and procurement processes, including securing appropriate data protection and similar agreements with our vendors who handle personal data on our behalf.
- Privacy By Design– For new products and enhancements, we are proactively applying the Data Protection by Design principles
- Data Inventory– We have developed and will continue to evaluate a registry of personal data holdings, including a record of processing activities, and relevant attributes such as the type of personal data, owner of the data, and basis for processing the data.
- Data Security– In addition to enhancing policies and procedures to help minimize risks of improper use or protection of personal data, we also enhanced our security practices and protocols. For instance, we have completed an SSAE 16 SOC2 internal audit in addition to our already SOC2 compliant data centers. We encrypt all platform data in transit and all backups. Our data logs are retained for 90 days and we delete all data at the end of our customer contract within 90 days from termination of the contract.
- Data Protection Officer (DPO)– Dynamic Signal has appointed a DPO with direct access to our executives. This provides an extra layer of governance and oversight for any data privacy concerns.
- Privacy Office – We have formed a Privacy Office and internal department liaisons who serve as the stewards of privacy going forward for Dynamic Signal, including members of our legal, architecture, security and customer success teams.
- Employee Training– We have provided and will continue to provide all our employees with GDPR training to ensure that all employees approach each facet of their work with privacy in mind.