GDPR, the General Data Protection Regulation, is the most comprehensive and far-reaching data privacy initiative in decades, entered into force on May 25, 2016, after about four years of debates and deliberations within the EU Parliament. It will take effect on May 25, 2018, after a two-year transition period.
This new EU data privacy law strengthens personal data rights of “data subjects” (individuals) and seeks to unify, modernize and standardize protection and privacy laws across the EU.
The regulation intends to give all EU citizens more control over their personal data and to safeguard their fundamental privacy rights by regulating the collection and use of personal data of individuals. The GDPR applies to all living, identified or identifiable natural persons. It does not apply to corporations. It imposes new rules on companies of any size, government and state agencies, non-profits, and other organizations that offer goods and services to citizens of EU, or that collect and process data tied to EU residents.
- The rights of individuals have been expanded to include the right to be forgotten (the right to have their personal data securely and completely deleted, without undue delay), the right to object (the right to refuse permission for a company to use or process their private data), the right to rectify (right to correct inaccurate personal information), the right to portability (the right to request personal data about them from a company (“export”) so that they may transfer it to other companies).
- Organizations will need to protect personal data using appropriate and reasonable measures. They are also obligated to contact authorities in the case of a data breach (and individuals affected, depending on the severity of the breach). They need to obtain consent for processing their personal information if required, and potentially keep records detailing processing of such data.
- Organizations are required to provide clear and appropriately worded notices of data collection, to outline all processing purposes and use cases, and to define data retention and expiration policies.
- Organizations need to train personnel and employees and to create and manage GDPR compliant vendor and partners contracts.
Processing of Personal Data
ADMAN may only process pseudonymous, non-sensitive personal data, explicitly for improved ads selection and personalization. ADMAN may only persist (collect) cookie identifiers, and no other personal data is collected for later processing. ADMAN may only process such data for specific, explicit and legitimate purposes, as required by the GDPR.
The GDPR discriminates between sensitive and non-sensitive data, and between directly identifying information (such as a person’s name, phone number, email address), and pseudonymous data (or non-directly identifying information) which does not allow the direct identification of users. Pseudonymization aims to decouple the “personal” in personal data. It renders the data “anonymous” in a limited context.
This, for example, would include a random sequence of characters (an online identifier) which is meaningless in isolation, but if it is associated with another ‘dataset’, it can be used to directly or indirectly identify a person. ADMAN does not maintain one such dataset that could have been used in conjunction with pseudonymous data to identify a person, by tracing the pseudonymous identifiers to a data subject.
GDPR's clear distinction between directly and identifying information and pseudonymous data is very important and is encouraged by the regulation.
ADMAN will request unambiguous consent when it may process personal data. Consent can be unambiguous when it is deduced from the action of the data subject. In such situations, ADMAN will display information specific to personal data that may be processed while providing the option to the data subject to opt-out from future personal data processing. Per the GDPR, explicit opt-in is not required for non-sensitive personal data. Furthermore, per the GDPR, consent is mandated only if sensitive personal data is involved, or profiling results in automated decision making AND the decision making results in a legal or significant effect on the individual (Recital 71).
Phaistos Networks commitments to the GDPR
We have long had strict privacy measures in place before it was mandated by a privacy agency or regulations, and respect for our customers and users data has always been central to our company’s values.
We believe protecting privacy requires a holistic security program. Our holistic, risk-based, approach, with a strong emphasis on continuous incident monitoring and data protection measures (such as encryption), has influenced the design and implementation of all our products and services (privacy by design). Our infrastructure is designed to facilitate security through the entire data processing lifecycle. This includes secure storage of data, secure communication between services and applications, and appropriate backup and expiration procedures.
Starting in mid-2017, we have undergone a full review of systems and policies to ensure GDPR compliance. We have implemented appropriate technical and organizational measures that meet the requirements of the GDPR. All our products and services will be fully GDPR compliant by May 2018.
All personal data entrusted to us by our customers, partners, or users are encrypted when in transit, or at rest. Access to such data is only granted to employees and Phaistos “applications” granularly, based on a robust authentication and authorization scheme.
Our engineering teams have put significant effort into understanding the specifics of the various GDPR requirements, and we are constantly refining our offerings with that in mind.
We believe protecting the privacy of our users and customers while being transparent about our business practices is of primary importance. We are prepared for the implications of the GDPR, and we are looking forward to helping our customers and partners understand our products and services.