GDPR and TUNE
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) went into effect.
TUNE’s performance marketing platform is certified for compliance against GDPR under ePrivacy’s technical and legal standards. Visit ePrivacy’s site to learn more. TUNE has implemented related product updates to meet our obligations as a data processor.
And as your trusted data processing partner, we’re committed to helping the entire industry on its GDPR compliance journey.
What Is GDPR? How Does It Affect TUNE Clients?
GDPR, or the General Data Protection Regulation, is the European Union’s new privacy law that updates and enhances its data protection requirements. Among the changes in the new rules, the definition of personal data has been broadened, and with it the scope of who is covered by the law.
Under GDPR, any company that markets products and services to individuals in the EU is affected, even when that company is not located in the EU. This means that GDPR applies to all TUNE clients located in the U.S. and around the world that work with the personal data of individuals who reside in the European Union. Other jurisdictions, including California, have passed similar legislation, and TUNE will closely monitor these developments.
How Is TUNE Prepared for GDPR?
TUNE currently maintains high standards in safeguarding the data of our clients. In advance of the GDPR deadline, TUNE either met or implemented product updates to more efficiently meet our obligations as a data processor. Our clients, as data controllers, maintain the responsibility to utilize any applicable updates and to make any necessary policy or procedure updates. You can review some of the steps we’ve taken — and continue to refine — below.
Security and Privacy Compliance
TUNE is committed to the protection of our systems and your data. We are proud to incorporate SOC 1-level and SOC 2-level controls as criteria for measurement of TUNE products and services. By relying on independent reviews of our SOC 1 Type II and SOC 2 Type II preparedness, TUNE is following through on its commitment to develop the industry’s most trustworthy and transparent solution. SOC reports help companies maintain a proactive approach to managing risks, meet customer expectations, and build confidence and trust with other clients and end users.
Data Transfer Practices
TUNE’s EU-U.S. data transfer practices are certified under the EU-U.S. Privacy Shield Framework. Clients may rely on this framework for the transfer of data from the EU (and the United Kingdom) to the U.S. or have the option of entering into Standard Contractual Clauses, also known as EU Model Clauses. TUNE also offers a Data Processing Addendum for our clients and partners. All such documents are available here. To learn more about our data transfer practices, please see TUNE’s Privacy Shield Statement.
TUNE implemented rolling data retention for log-level reporting as well as customizable opt in rights to real-time IP obfuscation and unique Device ID blanking for all EU countries. Learn more about the specific data retention rules and the importance of securing data here.
In order to comply with the expanded reporting requirements, TUNE continually refines its documentation of current privacy and security practices and procedures.
Privacy By Design
In addition to the current functionality, such as rule-based controls and supporting end user data rights, TUNE continually works to incorporate privacy and security measures into our software development life cycle.
Innovation is part of TUNE’s core. Listening to our clients and constantly seeking to improve the customer experience helps us support them with their data protection efforts.
GDPR Compliance Is a Shared Responsibility
GDPR compliance is a shared responsibility between data controllers and data processors.
TUNE clients are data controllers. TUNE is a data processor.
The Key to GDPR: Rights of End Users
A key part of GDPR is letting individuals, also known as end users, choose what happens to their personal data. As data subjects under GDPR, end users have the right to:
• Access and correct errors
• Delete personal data
• Object to its processing
• Export it
FOR TUNE CLIENTS
The Role of the Data Controller
As a data controller, you dictate what data you collect and what we do with it. You should consider the following key points:
1. Determine the data you collect as a data controller, as well as the data we process and store on your behalf. We’ve said from the beginning that with TUNE products, your data always belongs to you. This means that depending on the TUNE product or service you use, we may process personal data for you.
2. Provide transparency through privacy notices and/or policies to end users that detail how you collect and use information, obtain consents (if needed), protect personal and sensitive information, and respond to requests from end users regarding their data.
3. Should end users inquire about what data you maintain about them or decide they no longer want a relationship with you, you will respond directly to those requests.
The Role of the Data Processor
As a data processor, we process personal data only on instructions from you, the data controller. We also will comply with the following:
1. If you’re a TUNE client and you need our assistance with any end user requests, we will partner with you to help you respond.
2. We will take reasonable measures to secure your data, such as encryption, pseudonymization, stability and uptime, backup and disaster recovery, and regular security testing.
Additional Roles and Responsibilities
GDPR significantly expands your responsibility as a data controller for processing activities, especially those related to data collection, end user choice, and transparency.
Below are best practices to support industry alignment with GDPR data principles. When considering marketing efforts and GDPR, we encourage all of our clients to take into account the following critical areas:
Assess How Data Is Legally Processed
Do you have your end users’ consent? Is it specific, unambiguous, and freely given? Does your end user experience make this clear? Do you have a legitimate interest to collect, process, and store the data? If you can’t answer each question with a “yes,” it’s time to take a step back.
Update All Necessary Notices
Have you reviewed your current privacy policies, notices, or other information you provide to end users? Are these important notices at the point of collection? A review of all privacy notices may be necessary to keep your data collection, use, and storage transparent to end users.
Adopt Data Access, Right to Correction, and Right to Be Forgotten Protocols
These principles allow your end users to correct outdated or inaccurate personal data and to be removed from processing altogether. Internal policies and procedures should be implemented and maintained to appropriately respond to such requests.
Use Pseudonymous or Anonymous Data
Consider removing or limiting unique identifiers through the anonymization or pseudonymization of data. Some techniques include hashing, salting, encryption, and the use of tokens. This may help minimize the potential for future identification of end users, and may also help minimize your compliance obligations.
Consider Data Minimization
Simply put: Collect only the data you need. Conduct an assessment of the data you collect and determine if it is all necessary.
How TUNE Clients Can Stay Prepared
Below are six steps you can take to ensure your team and your company are focused on the most important objectives of GDPR.
1. Get management buy-in and create awareness. Make sure all necessary stakeholders are involved in ensuring your organization is ready and knowledgeable about its GDPR obligations.
2. Understand your legal basis for processing data under GDPR: consent, legitimate interest, or another way. If using consent, develop and maintain a consent management procedure with your end users in mind.
3. What information do you hold? Take an inventory of locations where you process data, including apps, websites, cookies, and tags. Are all data points necessary?
4. Document how you collect, use, and store personal data. Update your external notices to end users and partners on how you will use their data.
5. Create and implement policies and procedures to affect end user rights (i.e., right to access, right to erasure, right to data portability, etc.). This includes appointing a privacy point of contact.
6. We offer Data Processing Agreements for all TUNE clients and partners that process personal data in the EU, available here.
GDPR has been a game-changer for many organizations, but it’s only the start of a trend. As global privacy regulations evolve and expand, we hope that all TUNE clients will strive to innovate and grow with the future of customer rights in mind. Privacy is here to stay.