GDPR, The Checklist For Compliance
With the General Data Protection Regulation arriving within weeks, businesses are now in the final sprint to achieve compliance before the May 25 deadline. As most people know by now, GDPR is a global data protection law passed by the European Union that shifts the ownership of customer data from the organizations that use it to the individual customer. This new regulation not only applies to European businesses that work with the customer data of EU citizens – it applies to any entities that work with said businesses as well, thus making GDPR a global data protection law. With Facebook’s recent misuse of its customer data, all eyes are on the proper protection of customers’ private information. Your data protection officer is your point person to ensure GDPR compliance.
If your company stores personal data in permanent storage, you’ll need to perform a data protection impact assessment before each project that involves such personal data. Despite all of your preparations, data breaches will remain a substantial risk to not only your business and your compliance to GDPR but to the privacy and trust of your customers. In the event of a data breach, GDPR requires businesses to notify local data protection authorities of the breach within 72 hours of discovery. GDPR supports the data minimalization principle, requiring companies to only use and keep the personal data that is needed at any given time for any given purpose. Companies must then remove all traces of the customer data from its repositories, as well as any other repositories downstream where the data may have been shared and stored.
While it will take more time than a few weeks to achieve full GDPR compliance, there is still time for companies to get started on the right foot with protecting their customer data for the long run. Now more than ever, the protection of customer data and privacy has global attention, and the world with GDPR will be a proving ground for companies to regain and maintain the trust of their customers.
Our GDPR Compliance Plan
All our customers need to agree to revised data protection terms to reflect the change from the Data Protection Act to General Data Protection Regulation. Where customers are processing personal data with GBG, as this is against third party data sources, we are asking our customers to advise us on the lawful processing condition for using our products/services. Consent is changing to be more explicit/transparent so at the point of data collection, the individual will need to be informed exactly how their data will be used and who it will be shared with. Consent can be selected by our customer who is asking us to process data on their behalf, as they will hold the first party consent and will have advised their consumer as to how their data will be processed in their privacy notice. Kate leads the Privacy and Data Compliance Team, where each Compliance Manager has a core focus on the products GBG deliver, helping embed data privacy into operations whilst also monitoring activity on an ongoing basis.
We know what data we have, where it’s held, how we access it, the classification of the data, records for transfer and flow charts to show how it moves between systems, processes and countries. Due diligence prior to working with a third party is key to ensure data has been gathered lawfully, and to ensure any data we share will be secure. We have over 200 data partners globally, who need to comply with applicable data protection regulations. Depending on where the data partners is in the world, and what data they process, GDPR compliance may not be relevant. 33 states as data processor, GBG’s obligation is to notify data controllers without undue delay after becoming aware of it. We’re regularly audited by external third parties – our customers, our data partners and external bodies, such as IESB when reviewing our ISO27001 status or PCI:DSS compliance.
We attend many conferences, webinars and are part of a compliance think tank with a number of businesses in the data industry.
Mixpanel Help Center
Mixpanel strongly believes that customers should be able to control their data and trust that information is protected when stored in its servers. To support this, Mixpanel holds itself to strict data security and privacy standards, including compliance with the General Data Protection Regulation. Any Mixpanel account holder will be able to request an export of one’s own personal data, as well as the personal data of their own end-users. Our customers control what data is sent to Mixpanel, and may decide to halt the sending of personal data at any time. To the collection of one’s personal data, Mixpanel also has built dedicated methods for our client-side SDKs that can be used to opt end users out of tracking.
Mixpanel collects information about how customers use the product, and uses this data to identify product gaps and improve existing products. See the information below for more details about the safeguards that Mixpanel puts in place to protect customer data. As processors of its customers’ data and to protect the privacy of information it stores, Mixpanel holds data no longer than is needed to provide its services. To further support this, Mixpanel is implementing a data retention policy starting May 25th:. Events received over 5 years ago are automatically deleted on an ongoing basis from all projects.
Deleting a project through the Project Settings triggers a soft deletion, and the data in the deleted or reset project will remain stored in Mixpanel according to event and people data retention policies. Custom data retention windows can be set for people data by sending regular deletion requests to the Engage API. For more questions about setting custom data retention windows, contact our support team. Mixpanel has a dedicated Data Protection Officer, along with a team of privacy and security professionals dedicated to our compliance and to helping you maintain your compliance when using Mixpanel.