What's the GDPR?
The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organizations who collect or process personal data. It will come into force on 25th May 2018.
The full text of the GDPR can be found here.
Does the GDPR apply to me?
While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who:
a) market their products to people in the EU or who
b) monitor the behavior of people in the EU.
In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
How is ProPush preparing for the GDPR?
ProPush is fully committed to GDPR compliance. The essence of GDPR aligns directly with our core values of protecting customer privacy and rights to one's own data. Over the last couple of months we have been evaluating new requirements and restrictions imposed by the GDPR and are taking the action necessary to ensure that we handle customer data in compliance with applicable law by the 2018 deadline, while continuing our commitment to build new features and help increase customer engagement.
Establishing a Governance Structure
- Start the GDPR compliance process with a dedicated team. - Completed
- Create a comprehensive Privacy Management Framework. - Completed
- Appoint a Data Protection Officer. - Completed
- Initiate the internal Privacy and Security training. - Completed
- Conduct Data Protection Impact Assessment (DPIA). - Completed
Implementing Set Policies and Procedures
- Data Protection Policy - Completed
- Information Security and Governance Policy - Completed
- Data Breach and Incident Response Plan - Completed
- Risk management framework to assess and manage threats across the organization. - Completed
- Data Protection Addendum (DPA) - Completed
Implementing Data Privacy into Business Operations
- Prepare a detailed inventory of data and data-flows within our systems - Completed
- Establish procedures and policies to restrict processing of personal data - Completed
- Set up mechanisms to automatically track flow of all data within and outside our systems - Completed
Product Features Geared toward GDPR Compliance
Our team is building features needed to ensure we, and our customers, meet the GDPR obligations. ProPush already provides the following capabilities geared toward protecting personal data and privacy:
- Anonymize IP address: By default, ProPush captures only the first three octets of the IP address to ensure that these are rendered completely anonymous.
- Consent: Web Push Notifications already require website visitors to give explicit consent by turning on the browser-level permission.
- Subscriber data: After accepting to receive notifications, the push notification service of the browser creates a randomly generated ID for the subscriber. This ID cannot be used to identify a particular individual.
- Data Deletion: ProPush automatically deletes data on expired endpoints and customers have complete control over their data. They can unsubscribe at any time from their browser and their data would be deleted from our systems.
- Data Retention: Our users can use the account features to remove or update their data. We have also decreased our data retention time of deleted data to 90 days.