GDPR and TUNE
What it is and what it means for you
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will go into effect. As your trusted data processing partner, we’re committed to helping our clients on their GDPR compliance journey.
What Is GDPR? How Does It Affect TUNE Clients?
GDPR, or the General Data Protection Regulation, is the European Union’s new privacy law that updates and enhances its data protection requirements. Among the changes in the new rules, the definition of personal data has been broadened, and with it the scope of who is covered by the law.
Under GDPR, any company that markets products and services to individuals in the EU is affected, even when that company is not located in the EU. This means that GDPR applies to all TUNE clients located in the U.S. and around the world that work with the personal data of individuals who reside in the European Union.
You can read the full GDPR FAQ here.
What Is TUNE Doing to Prepare for the
May 2018 GDPR Deadline?
TUNE currently maintains high standards in safeguarding the data of our clients. In advance of the GDPR deadline, TUNE either already meets or is implementing product updates to more efficiently meet our obligations as a data processor. Our clients, as data controllers, will have the responsibility to utilize any applicable updates and to make any necessary policy or procedure updates. You can review some of the steps we’re taking below.
Security and Privacy Compliance
TUNE Security is committed to the protection of our systems and your data. We are proud to incorporate SOC 2 as criteria for measurement of TUNE products and services. By achieving SOC 2 Type II accreditation, TUNE is following through on its commitment to developing the marketing industry’s most trustworthy and transparent solution. This also helps us comply with several other security and privacy certifications, standards, and regulations, including ePrivacy certification, DAA standards and the EU-U.S. Privacy Shield.
Data Transfer Practices
TUNE’s U.S.-EU data transfer practices are certified under the EU-U.S. Privacy Shield Framework. Clients may rely on this framework for the transfer of data from the EU to the U.S. or have the option of entering into Standard Contractual Clauses, also known as EU Model Clauses. To learn more, please see TUNE’s Privacy Shield Statement.
In order to comply with the expanded reporting requirements, TUNE is actively working to more formally document our current privacy and security practices and procedures.
Privacy By Design
In addition to the current functionality, such as rule-based controls and supporting end user opt-outs, TUNE continually works to incorporate privacy and security measures into our software development life cycle.
Innovation is part of TUNE’s core. Listening to our clients and constantly seeking to improve the customer experience helps us support them with their data protection efforts.
GDPR Compliance Is a Shared Responsibility
GDPR compliance is a shared responsibility between data controllers and data processors.
TUNE clients are data controllers. TUNE is a data processor.
We’ve created the venn diagram below to illustrate the roles of data controllers (TUNE clients), data processors (TUNE), and the situations where we may need to help or partner with you using tools, protocols, or documentation to help you meet standards for compliance.
The Key to GDPR: Rights of End Users
A key part of GDPR is letting individuals, also known as end users, choose what happens to their personal data. As data subjects under GDPR, end users have the right to:
• Access and correct errors
• Delete personal data
• Object to its processing
• Export it
FOR TUNE CLIENTS:
The Role of the Data Controller
As a data controller, you dictate what data you collect and what we do with it. You should consider the following key points in preparation for GDPR compliance:
1. Determine the data you collect as a data controller, as well as the data we process and store on your behalf. We’ve said from the beginning that with TUNE products, your data always belongs to you. This means that depending on the TUNE product or service you use, we may process personal data for you. Knowing this before GDPR goes into effect is critical to your successful adoption and compliance.
2. Provide transparency through privacy notices and/or policies to end users that detail how you collect and use information, obtain consents (if needed), and respond to requests from end users regarding their data.
3. Should end users inquire about what data you maintain about them or decide they no longer want a relationship with you, you will respond directly to those requests.
The Role of the Data Processor
As a data processor, we process personal data only on instructions from you, the data controller. We also will comply with the following:
1. If you’re a TUNE client and you need our assistance with any end user requests, we will partner with you to help you respond.
2. We will take reasonable measures to secure your data, such as encryption, pseudonymization, stability and uptime, backup and disaster recovery, and regular security testing.
Additional Roles and Responsibilities
GDPR significantly expands your responsibility as a data controller for processing activities, especially those related to data collection, end user choice, and transparency. In light of this, TUNE will take other applicable steps to help facilitate and support our clients’ compliance with GDPR.
One of these steps is advising our clients on best practices and data cleanliness. When considering marketing efforts and GDPR, we encourage all of our clients to take into account the following critical areas:
Assess How Data Is Legally Processed
Do you have your end users’ consent? Is it specific, unambiguous, and freely given? Does your end user experience make this clear? Do you have a legitimate interest to collect, process, and store the data? If you can’t answer each question with a “yes,” it’s time to take a step back.
Update All Necessary Notices
Have you reviewed your current privacy policies, notices, or other information you provide to end users? Are these important notices at the point of collection? A review of all privacy notices may be necessary to keep your data collection, use, and storage transparent to end users.
Adopt Data Access, Right to Correction, and Right to Be Forgotten Protocols
These principles allow your end users to correct outdated or inaccurate personal data and to be removed from processing altogether. Internal policies and procedures should be implemented and maintained to appropriately respond to such requests.
Use Pseudonymous or Anonymous Data
Consider removing or limiting unique identifiers through the anonymization or pseudonymization of data. Some techniques include hashing, salting, encryption, and the use of tokens. This may help minimize the potential for future identification of end users, and may also help minimize your compliance obligations.
Consider Data Minimization
Simply put: Collect only the data you need. Conduct an assessment of the data you collect and determine if it is all necessary.
How TUNE Clients Can Start Preparing Today
Below are five steps you can take to prepare your team and your company for the GDPR deadline.
1. Get management buy-in and create awareness. Make sure all necessary stakeholders are involved in ensuring your organization is ready and knowledgeable about its GDPR obligations.
2. Understand your legal basis for processing data under GDPR: consent, legitimate interest, or another way. If using consent, develop a consent management procedure with your end users in mind.
3. What information do you hold? Take an inventory of locations where you process data, including apps, websites, cookies, and tags. Are all data points necessary?
4. Document how you collect, use, and store personal data. Update your external notices to end users and partners on how you will use their data.
5. Create and implement policies and procedures to affect end user rights (i.e., right to access, right to erasure, right to data portability, etc.). This includes appointing a privacy point of contact.