Following our recent blog post, Are you ready for the GDPR? we now want to give you more insight into what everyone should be asking themselves as well as their third-party service providers when facing the high standards of the European General Data Protection Regulation (“GDPR”).
The GDPR comes into effect soon on May 25th, 2018. From then on, businesses not fully GDPR compliant could face fines, as well as legal action. It’s vital that everyone is up to date with the regulation, and so we’ve put together a short list of questions to ask your partners and third-party services to make sure they’re GDPR compliant.
Below you can find a list of questions you should be asking. These should help you clarify and check on your GDPR compliance whilst working with any third-party service provider. If you’re not working with Adjust, you may want to ask your own service these questions, to see if they’re fully in line with GDPR law.
1. Where are your servers/cloud services located?
One bigger implication of the GDPR is in where storage is located. The essentials of the rule here are simple: if you’re storing personal data on residents of the European Union, then those servers should be located in Europe.
This means that the data itself should not be sent to servers outside of the EU (to the US, for example). Cloud services are affected too, and must have hardware somewhere in Europe in order to store data on European citizens.
Adjust’s servers on the ground for our European clients are based in Europe - in Frankfurt and Amsterdam.
2. What kind of data are you storing?
The GDPR is concerned with the type of data being stored. Only data that is absolutely needed to provide the service to the full extent should be collected. The principle here is “data minimization” ((art. 5 c) GDPR).
Ask your service provider exactly what personal data they’re storing, and why they need it. Ultimately, you’ll need to relay this information to potential users and give them the chance to opt-out of that type of tracking (more on that below!)
Adjust works mostly with the mobile identifier (IDFA, IDFV, Android-ID, Windows-ID etc.). The hashed fingerprint is generated as a hash from the IP address, the time in milliseconds, data from the user agent (country, language, local settings, operating system, operating system version) and the app version. All of this data is deleted after 6 hours.
3. Do you have a security/privacy certification which is in line with GDPR in place, and not just a listing from a self-certifying body?
There are various privacy certifications and regulations; each means something different. Some providers might choose to get a self-certification badge to ‘show’ they have a similar data protection level to what we have in Europe. Simply putting a certification badge on a website does not mean that providers are actually compliant with the applicable data protection laws. The GDPR is an actual binding set of regulations directly applicable in each EU member state.
Every service provider should have a European certification, and not just a listing with a self-certifying privacy body (like the US-Privacy Shield). Not all security badges are the same, and research needs to be done into what the badge really guarantees. Unfortunately a self-certifying badge means that no expert or legal counsel has audited whether a company is complying with applicable data protection laws.
Adjust is ePrivacy certified. This certification comes with a stringent legal and technical audit, ensuring that we follow the strictest EU data protection laws.
4. Do you request users and other parties to sign a data processing agreement with you?
According to article 28, paragraph 4 of the GDPR, it’s mandatory that every company working with any kind of user data and sharing it with a service provider is in the loop regarding data collection, transfer and use. We sign a data processing agreement with all our European clients as a standard.
5. Do you have a deletion policy, record of processing activities, and TOMs in place?
All these are required by articles 17, 30 and 32 GDPR. This includes, for example, measures like:
- Physical access control: Measures that are suited for denying unauthorized persons access to data processing systems that are used to process personal data.
- Data access control: Measures that are suited for preventing unauthorized persons from using data processing systems.
- Data usage control: Measures that are suited for ensuring that persons authorized for the usage of data processing systems can access data only according to their defined access authority, and that personal data can’t be read, copied, changed or deleted by unauthorized persons during the processing, usage and after storage of such data.
- Separation Rule: Measures that are suited for ensuring that data that has been collected for different purposes can be kept separate during processing.
- Data Transmission Control: Measures that are suited for ensuring that personal data can’t be read, copied, changed or deleted by unauthorized persons during electronic transmission, during transport or during the process of storing it onto data storage media, and that it can be checked and asserted where the transmission of personal data through transmission systems is intended.
- Entry Control: Measures that are suited for facilitating the belated checking and asserting if personal data has been entered into, changed within or deleted from data processing systems and if so by whom.
- Availability Control: Measures that are suited for ensuring that personal data is protected against accidental damage or loss.
- Rapid Recoverability: Measures to ensure that personal data can be quickly recovered in the event of a physical or technical incident through an emergency management plan and regular recovery testing.
- Data Protection Management: Name and contact address of the appointed data privacy officer.
- Incident Response Management: Measures that are taken to respond asap to an incident.
- Privacy-by-default settings: Default settings of the IT systems to the extent that only the personal data required for the pursued purpose are processed.
- Contractual Control: Measures that are suited for ensuring that the commissioned processing of personal data complies with the guidelines of the contracting party.
In general, marketers could argue with Art. 6 1f) GDPR. According to this article the user’s consent is not needed to process the personal data if a legitimate interest is met. Direct marketing is considered to be a legitimate interest - online marketing should also count as a legitimate interest as there is no big visible difference (especially in the era where everything happens online).
In any case, all users must be given the opportunity to opt out of being tracked and have any of their data stored in your databases deleted (the latter referring to the “right to be forgotten” rule enforced by art. 17 GDPR).
7. Do you have a data privacy officer?
As of May, every company that works with data must employ a data privacy officer to oversee GDPR compliance (art. 37 GDPR). This blog post can help you understand more about the role of a privacy officer for your company.
This post is a first in our new Transparency Series, where we talk with Adjust experts about fraud, privacy, and more.
Be on the lookout for new posts every month to learn more about pressing issues in the mobile industry.