Preparing for the GDPR regulatory compliance requires a considered approach
The new ‘General Data Protection Regulation’ (GDPR) came into effect on 25 May 2018, creating a unified data protection legislation across all EU member states. The GDPR will change the way organizations collect, use, and manage personal data from the EU. Companies collecting personal data from the EU will need to take a considered approach to their personal data collection and protection practices.
Prior to the GDPR, each country within the EU had different data protection laws, making it difficult for companies to comply across Europe. Because the GDPR creates single data protection regime for Europe, Companies can comply at the European level rather than on a country-by-country basis.
Although the GDPR is an EU regulation, it won't only affect companies in the EU, but also companies that collect personal data from the EU. For consumers in Europe, the GDPR helps to protect their privacy and stop unwanted solicitation.
At TapHeaven, we are aware of the effort it takes to meet GDPR requirements. This is how we’re getting ready.
Helping to safeguard your personal data at TapHeaven
We are dedicated to providing transparency and building trust. A committee of representatives from various TapHeaven teams has worked together to get the organization and product ready to meet new security and privacy requirements.
We understand that your visitors are concerned about how their personal data is used and managed. We are committed to help you address this concern and meet your compliance obligations.
TapHeaven is backed by security controls designed to protect your data using industry best practices and proven technology.
As IP addresses could be considered personal data, TapHeaven anonymizes IP addresses by removing the last block of your visitors’ IP address before storing event data.
By default, our snippet communicates with TapHeaven.com using Transport Layer Security (TLS), which is regularly updated to use updated ciphersuites and TLS configurations.
Data Deletion and Access
Under the GDPR, data subjects may request access to or erasure of personal data stored by a company. We are building tools and processes to help our customers fulfil these requests.
For the event data we collect, our support engineers will work with you to export and erase the records associated with identifiers you provide.
TapHeaven’s security, privacy, and compliance team has reviewed our product features and conducted an assessment of organizational requirements for compliance with the GDPR. It has developed and is implementing a GDPR compliance plan across our organization with buy-in from executive-level members of our organization.
Training and Privacy Awareness
As part of our employee onboarding and continuous training, members of our engineering and product teams learn about privacy. In addition, software engineers receive software security training annually. All efforts are overseen by our security, privacy and compliance team.
Data Mapping and Privacy Impact Assessment
To verify that our privacy practices are appropriate, we have conducted an initial data mapping exercise and further are conducting a Privacy Impact Assessment (PIA) to assess how we collect, process and store personal data and determine potential privacy impacts.
Informational Security Policies
We have published informational security and data protection policies governing when employees and contractors can access data stores containing your data.
The GDPR restricts the export of personal data to countries outside the EU and the European Economic Area (EEA) unless certain controls are in place. TapHeaven takes precautions to ensure secure transfer of such personal data to servers located within the EU.
We leverage advanced technology designed to detect and avoid threats. If needed, our rigorous 24/7 incident management program allows us to respond to security or privacy events promptly. We have implemented a data breach and incident response plan. In case of an incident involving your customer data, we will inform you per the terms of your agreement with us.
We review new product functionality according to stringent security and privacy guidelines throughout the entire software development cycle.
We have conducted security and privacy reviews of our vendor contracts. As a result we have DPAs with vendors who process personal data, we have collected for you, if any.
To support your efforts to provide EU-compliant contractual protections, we have GDPR-ready Data Processing Agreements (DPAs) in place with all data controllers we utilize.
User Opt-Out Links
In any case, all users must be given the opportunity to opt out of being tracked and have any of their data stored in your databases deleted (the latter referring to the “right to be forgotten” rule enforced by art. 17 GDPR).
It’s time to get ready for the GDPR
Review your data collection practices to ensure you have appropriate permissions, where necessary, to collect information from your visitors. Consider using just-in-time privacy notices if needed to obtain consent. Also consider how to communicate the value of the additional services provided, which is a great opportunity for experimentation to maximize the opt-in rate.
Create a process to address data subject access request, including how you plan to authenticate the data subject. Review your existing vendor relationships to see whether they offer appropriate protections for your data.
Review your data collection practices and think about how to minimize the collection of personal data. Consider turning on IP anonymization or shortening your cookie expiration policies.