What is GDPR?¶
The General Data Protection Regulation (GDPR) is a new data regulation enacted by the European Union to safeguard the rights of consumers in the EU, superseding the 1995 Data Protection Directive and increasing requirements for data security and privacy beyond the Directive.
The GDPR applies to any business that...
- Monitors the behavior of individuals in the European Union.
- Provides services or goods to the EU (including free services), even if based outside the EU. Or...
- Has an establishment in the EU, regardless of whether processing personal data of EU citizens.
The GDPR governs the collection, storage, transfer or use of personal data, where "personal data" is defined very broadly to include any information relating to an identified or identifiable individual.
The GDPR gives individuals greater rights and control over personal data about them than under the Directive, by regulating how businesses obtain, handle, store and transfer the personal data they collect. The GDPR also greatly increases fines for breaches and imposes a more rigorous enforcement structure.
Of specific interest for publishers and analytics companies (like Parse.ly) are the regulations that deal with the storage, processing, regulation, and grant of consent from users.
Key changes under the GDPR¶
Here are some of the key changes brought about by the GDPR, compared to current law under the 1995 Data Protection Directive and other privacy-related laws:
Expanded rights for individuals: The GDPR provides expanded rights for individuals in the EU by granting them, among other things, the right to be forgotten ("right of erasure") and the right to request a copy of any personal data stored in their regard (right to "data portability").
Privacy impacts assessments and data security: The GDPR requires organizations to conduct privacy impact assessments, implement appropriate data security policies and protocols ("appropriate ...to ensure a level of security appropriate to the risk").
Recordkeeping and other compliance obligations: The GDPR requires organizations to keep detailed records on data activities and enter into written agreements with vendors that require vendors to commit to the same compliance obligations as the contracting organizations.
Data breach notification: The GDPR requires organizations to report data breaches to data protection authorities within 72 hours of discovery, and in serious cases to the affected individuals.
Increased Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company's annual global revenue, based on the seriousness of the breach and damages incurred. Also, the GDPR provides a central point of enforcement for organizations with operations in multiple EU member countries.
How did Parse.ly handle GDPR?¶
Is Parse.ly a "first-party" analytics vendor?¶
Yes. At Parse.ly, we've always taken consumer data privacy and data security seriously since we started operating a large-scale analytics service in 2010.
We are self-certified under the EU-US Privacy Shield, which concerns transfer of data between the EU and US. We have also worked with several companies in Europe on the privacy requirements to be their first-party analytics vendor of choice.
We avoid storing extraneous data on visitors, only instrumenting sites with collection mechanisms that enhance our first-party reporting capabilities.
What changed at Parse.ly under GDPR?¶
Parse.ly's Information Security (Infosec) Team performed a full internal audit for compliance with GDPR.
Our Information Security Team evaluated our systems and data storage to ensure GDPR readiness. We designated a dedicated internal team for data protection.
Whether it comes to our own internal data, data prepared and processed for use by our customers, or data collected by visitors to those websites, we now ensure that it meets the appropriate privacy standards set by GDPR.
We catalog any Personal Information: We reviewed our systems, products and services to catalog and document the sources, uses, storage and disposal of all internal data, data prepared and processed for use by our customers, or data collected by visitors to those websites. We ensured we have the legal basis for the storage and processing of this information.
Enhanced data integrity and security: We adopted security practices that are broadly recognized as industry standard.
Consent requirements: We audited for compliance with consent rules for any new data we capture, to ensure we continue to lawfully process personal information that is sent to us by clients, or that we collect ourselves from our own sites and services.
Providing visibility and transparency: As a data processor, we must provide our customers (the data controllers) with access to effectively manage and protect their data. We are also exploring product enhancements to provide better transparency, in order to also provide all reasonable assistance to our customers to comply with their own transparency and data rights access obligations.
Data Transfers between EU/Switzerland and the US: We previously certified under the EU/Swiss-US Privacy Shield program, which concerns transfers of data between the EU and Switzerland, on the one hand, and the United States. We will continue to comply with Privacy Shield and other applicable requirements under the GDPR governing data processing involving these types of data transfers.
Security and Privacy¶
At Parse.ly, we've always focused on a privacy-minded implementation of analytics: in many ways, the GDPR's articles are a welcome codification of practices our engineering teams already follow. But, we used the GDPR to ensure all the details are covered.
One key aspect of this is system security. We made sure that the data we hold is kept in safe and secure hands, and that our security policies and software are up to date with industry standard best practices.
As for privacy, we've always been a privacy-first company; we've long had additional privacy measures, such as limiting IP Address collection and Third-Party Cookies on customer request, even before it was mandated by any privacy agency. We allow customers to control the data they send to us: a customer's development team can send along in our tracking pixel only the minimum information necessary to do analytics properly, which makes us an attractive option already for security and privacy-conscious publishers and clients.
Our public stance on analytics and privacy can be found in a piece of writing by our Chief Technology Officer, entitled "Analytics and Privacy Without Compromise.".
Data Protection Team¶
We created a Data Protection Team which is focused on engineering improvements to our systems, processes and our products to comply with the standards required by the GDPR.
This team focused on organizational changes for handling data protection issues, including compliance with consent and other requirements for how to lawfully collect personal data; improvements to systems and processes to comply with rights of individuals to access, review, correct or delete any personal data that is processed in our systems; ensuring that our own data collection privacy disclosures and data processing agreements are revised, as necessary; and, improving disaster response procedures and notification processes for responding to potential data breaches.
Customer guidance related to GDPR and Parse.ly services¶
All organizations processing personal data of EU citizens have their own separate compliance obligations. This is true for our customers as much as it for us, and our customers must look to their own advisers to guide them through these processes.
Nonetheless, in relation to our customers' use of our systems and services, there are several important things our customers should be doing to meet their own GDPR compliance obligations:
Update terms of service and privacy policies: On your websites or apps, these should be updated to communicate to your own customers and other users how you are using our systems (and any other similar services). These disclosure obligations are more important than ever under the GDPR, including the important obligation to be transparent about the third parties (including us) with whom you are sharing personal data of your users.
Confirm consent requirements: As the data controller, customers have ultimate control over the data we store and process for our customer's monitored domains and apps. Customers need to manage their visitor/user experience to make sure they have robust privacy notices and, where necessary, implement compliant consent experiences.
Formalize data "processor" relationship: Our customer contracts contain appropriate provisions for the personal information we store, and balance the risks and responsibilities between our customers (the data "controllers") and us (the data "processor"). If you have an older offline contract with Parse.ly, we ask that you sign or update a contract with us incorporating terms to clearly establish our respective data processing roles, in compliance with the GDPR and other generally acceptable privacy laws. This reflects our role as a data "processor" under the GDPR, processing data on your behalf as the data "controller". Our standard product terms as of May, 2018 already incorporate this language.
Reach out for help¶
Parse.ly considers it a core operational responsibility to ensure first-party analytics is used responsibly and within the guidelines set by GDPR and other privacy frameworks.
We ask that customers reach out to their account representative if they need the direct help of our Infosec Team or our Data Protection Team.