What Is the GDPR?

The General Data Protection Regulation (GDPR) is one of the biggest legislative changes made since 1975. To be effective from May 25, 2018, the primary goal of these changes is protection of personal data and rights of EU residents.

Data Privacy and Information Security Certifications

We have been recommended for the following certifications to ensure GDPR preparedness:

  1. BS 10012:2017 Personal Information Management System [PIMS] & GDPR Regulation Compliance: BS 10012 helps organizations in managing risks to the privacy of personal data and implement necessary policies, procedures, and controls to help ensure compliance with data protection legislation.
  2. ISO 27001:2013 Information security management systems [ISMS]: ISMS ensures a systematic approach to managing sensitive company information so that it remains secure. ISMS includes people, processes, and IT systems by applying a risk management process.

PushCrew Embraces GDPR

PushCrew has put in place processes and procedures to comply with the various provisions of GDPR—data subject rights, GDPR core principles, data protection addendum, data deletion, data retention, and pseudonymisation, which align with our core values of customer trust and data privacy.

What steps did PushCrew take to become GDPR-compliant?

Over the last one year, we have covered a lot of ground toward understanding and analyzing how GDPR will impact our customers and making appropriate changes to our product and processes. This was made possible with the help of a focused group comprising experts on Corporate Security and Compliance and members from our senior leadership. Below is a glimpse of our analysis and the steps we took to ensure we are compliant well in time:

Establishing the Governance Structure

  1. Start the GDPR compliance initiative with a dedicated focus group. - Completed
  2. Create a comprehensive Privacy Management framework that incorporates 130+ best practices and organizational measures, divided into 13 data privacy management categories. - Completed
  3. Appoint a Data Protection Officer/Official (DPO) in an independent role. - Completed
  4. Conduct an assessment on product and business impact. - Completed
  5. Initiate the internal Privacy and Security Awareness program. - Completed
  6. Conduct Data Protection Impact Assessment (DPIA) (Internal). - Completed
  7. Conduct Data Protection Impact Assessment (DPIA) (External). - Completed

Implementing Policies and Procedures

  1. Create Data Protection Policy. - Completed
  2. Change Privacy Policy. - Completed, available here
  3. Change Terms and Conditions. - Completed, available here
  4. Create Data Protection and Information Security Policy. - Completed, to be published soon
  5. Devise Data Breach and Incident Response Plan. - Completed
  6. Develop a risk management framework to assess and manage threats across the organization and real-time personal data. - Completed
  7. Embed personal data protection requirements within contracts and agreements with third-party service providers. - Completed
  8. Create customer-facing Data Protection Addendum (DPA). - Completed, available here
  9. Create third-party supplier Data Protection Addendum (DPA). - Completed, to be published soon

Embedding and Implementing Data Privacy into Operations

  1. Prepare a detailed inventory of data and data-flows within our systems. - Completed
  2. Establish procedures and policies to restrict processing of personal data. - Completed
  3. Set up mechanisms to automatically track flow of all data within and outside our systems. - In Progress

Existing Product Features Geared toward GDPR Compliance

We take utmost care to ensure that our customer data is secure and easily accessible. While we are constantly working toward enhancing our security parameters under the GDPR guidelines, VWO includes the following out-of-the-box capabilities geared toward protecting personal data and privacy:

  • Anonymize IP address: By default, PushCrew never captures the full IP address of any of the visitors on your website. The last octet of the IP addresses is deleted to ensure that these are rendered completely anonymous.
  • Consent: Web push notifications already require website visitors to provide explicit consent by turning on the browser-level permission.
  • Subscriber data: After accepting to receive notifications, the push notification service of the browser creates a randomly generated ID for the subscriber. This ID cannot be used to identify a particular individual.

New additions:

  • Privacy settings: We have added a new privacy settings page inside every PushCrew account which gives you full control over your account access. Read more about it here.
    • Granular control over the subscriber data collected.
    • Enable subscribers to exercise their rights with regard to their personal information stored by you on PushCrew servers:
      • Right to access personal information
      • Right to get (any) personal information deleted
      • Right to withdraw consent
  • Opt-in: You can now enable consent for website activity tracking on the opt-in form. Read more about it here

FAQs

When is the GDPR coming into effect?

The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive, it will not require any enabling legislation to be passed by the government; meaning it will be effective from May 25, 2018.

Whom does the GDPR affect?

The GDPR applies not only to organizations located within the EU but also to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. The GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the location of the companies.

What is the difference between a data processor and a data controller?

A controller is an entity that determines the purposes, conditions, and means of processing of personal data, while a processor is an entity that processes personal data on behalf of the controller.

Where can I learn more about the GDPR?

You can refer to the following links for more information about the GDPR and how you can prepare for it.

Last updated: May 25, 2018