In Preparation of GDPR Compliance

In just a few months, the European Union will put a new privacy law into effect. Designed to let individuals decide what happens to their personal data, the General Data Protection Regulation (GDPR) requires companies to conform to data collection and security best practices.
At its heart, GDPR represents a unique opportunity for brands to strengthen customer relationships by making privacy and trust a key part of the user experience.
GDPR is a significant piece of legislation, and unraveling exactly what it means for your business can be tricky. Here’s what you need to know about these new rules — and what we at CleverTap are doing to prepare.

What is GDPR?

One of the largest legislations on data privacy, the European Union’s GDPR is set to take effect on May 25, 2018. The GDPR enforcement puts the control of personal data in the hands of the individuals it belongs to, protecting the rights of EU residents.
The regulation delineates individuals’ rights to access, rectify, and restrict the processing of personal data, among other key provisions, and aims to unify privacy and security laws for all organizations operating within the EU.

What Does GDPR Mean for You?

If your business provides a product or service to EU residents, and determines how and why to collect, track, and monitor their data, you’re considered a data controller. As a CleverTap customer, you likely perform one of the above activities and will need to comply with the GDPR.
Businesses that process data on behalf of controllers are considered data processors. As an Intelligent Mobile Marketing Platform, CleverTap services its customers as both a data processor and a data controller.
CleverTap believes that preparing for the GDPR provides an enormous opportunity for us to deliver even better customer experiences on our platform. We will be GDPR compliant by May 25, and are taking steps to make it easy for you to comply with the regulation as well.

How Does GDPR Apply to CleverTap?

CleverTap operates at an unprecedented scale, processing billions of data points every month — including personal data for EU residents. The GDPR requires businesses that collect, store, or transfer personal data to protect it from unauthorized or unlawful processing, damage, or accidental loss.
In preparing for the GDPR, CleverTap is able to rely on its strong foundation of privacy controls that proactively incorporate many of these requirements. At the same time, we are working to formally document and continually evaluate the additional steps that we and our customers need to take to comply with GDPR.

CleverTap’s Commitment to Data Security and Privacy

At CleverTap, the security and confidentiality of our customer data is critical. As a data processor, CleverTap already takes considerable effort to make sure that our product offering complies with the requirements laid out by the GDPR.
We implement best practices to ensure that we offer complete transparency in data collection, synthesis, and transfer of data to and from our customers. In light of these new requirements, our legal and privacy team is working to more formally document the privacy practices we have in place.

1. Handling of Personally Identifiable Information (PII): The GDPR requires companies to take adequate measures to keep data up-to-date and relevant to the purpose for which it is processed. At CleverTap, we process PII data strictly based on instructions from the controller, which in this case would be you, our customer. We also take the necessary measures to ensure that your data is always accurate and current.
2. Profiling and Monitoring of EU residents: We are working on a protocol which will allow our Controller partners to implement ‘Right to Forget’ and ‘Right to Suppress’ events for their customers. This will ensure that we do not store any PII of EU individuals who have invoked these clauses on their respective devices.
3. Data Transfer to EU: At CleverTap, we safeguard each client’s data within their own silo, strictly restricting any movement of data between clients. Furthermore, during the setup phase, we work closely with our controller partners to ensure that data at the server level does not breach the boundaries of the EU.
4. Data Transfer Outside of EU: All of our customer (controller) data is processed and stored with our cloud service partners who implement best-in-class security and risk management protocols. Your data never leaves the EU.
5. Data Encryption: We process data both in transit and at rest using best-in-class encryption standards to ensure data security. All our data collection points support TLS 1.1, and TLS 1.2 encryption protocols.
6. GDPR-Relevant Contract Terms: As of May 25, 2018, all our existing contracts will carry an addendum to cover the GDPR compliance standards, and all new contracts will carry GDPR compliance guidelines.

How We Enable Our Customers to be GDPR Compliant

In order to comply, controllers should ensure that they only work with processors that implement the necessary technical and organizational best practices to meet the requirements of the GDPR.

1. End-User Rights
   • Right to access: At CleverTap, we enable our customers to give users access to personal data as well as the purpose of processing that data.
   • Right to Erasure: The right to erasure or the right to be forgotten empowers the user with the right to erase of personal data without delay and the right to withdraw consent. CleverTap will provide our customers with an SDK and Web API update that deletes all user data.
   • Right to Suppress: Similarly, once a user invokes a right to suppress clause (on the app), all data for the user going forward needs to be dropped. To allow for this, CleverTap will provide our customers an SDK and Web API update to allow for suppression.
2. Privacy by Design
   CleverTap aims to provide complete data transparency to our users. We will include a built-in opt-out option as a default setting so that our customers have the necessary user consent before they go ahead with engagement campaigns within the CleverTap platform.
3. Data Breach Reporting
   In order to make it easier for our customers to address data breach notifications promptly, we have an incident reporting system in place. When an incident involving personal data takes place, this system informs our customers of the breach and strongly recommends our customers to communicate the same to their end users.

Our Continued Commitment to GDPR

This is just the beginning! CleverTap will continue to evolve its security and compliance suite to ensure our customers meet legal requirements as they use our mobile marketing solutions. We take our data privacy and security responsibility very seriously and will align the changes in our data processing framework with the privacy needs of our customers.
In addition, our data governance and legal team are well-placed to answer any questions you might have. We encourage our customers to engage in this conversation so we address GDPR compliance together.
If you have any questions, please reach out to us at legal@clevertap.com. For more information and clarification on GDPR compliance, its effect and complications, limitations, penalties, register for our upcoming webinar.