What’s the GDPR?
The GDPR (General Data Protection Regulation) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organizations who collect or process personal data. It will come into force on 25th May 2018.
The full text of the GDPR can be found here.
Does the GDPR apply to me?
While the current EU legislation (the 1995 EU Data Protection Directive) governs entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who:
a) market their products to people in the EU or who
b) monitor the behavior of people in the EU.
In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
Steps taken by PushAlert to become GDPR Compliant.
PushAlert is fully committed to GDPR compliance. The essence of GDPR aligns directly with our core values of protecting customer privacy and rights to one’s own data. As of May 2018, PushAlert is GDPR compliant as are our partners.
Establishing a Governance Structure
- Start the GDPR compliance process with a dedicated team. – Completed
- Create a comprehensive Privacy Management Framework. – Completed
- Appoint a Data Protection Officer. – Completed
- Initiate the internal Privacy and Security training. – Completed
- Conduct Data Protection Impact Assessment (DPIA). – Completed
Implementing Set Policies and Procedures
- Data Protection Policy – Completed
- Information Security and Governance Policy – Completed
- Data Breach and Incident Response Plan – Completed
- Risk management framework to assess and manage threats across the organization. – Completed
- Data Processing Addendum (DPA) – Completed
Implementing Data Privacy into Business Operations
- Prepare a detailed inventory of data and data-flows within our systems – Completed
- Establish procedures and policies to restrict processing of personal data – Completed
- Set up mechanisms to automatically track flow of all data within and outside our systems – Completed
Product Features Geared toward GDPR Compliance
Our team has built features needed to ensure we, and our customers, meet the GDPR obligations. PushAlert already provides the following capabilities geared toward protecting personal data and privacy:
- Anonymize IP address: By default, PushAlert captures only the first three octets of the IP address to ensure that these are rendered completely anonymous.
- Consent: Web Push Notifications already require website visitors to give explicit consent by turning on the browser-level permission.
- Subscriber data: After accepting to receive notifications, the push notification service of the browser creates a randomly generated ID for the subscriber. This ID cannot be used to identify a particular individual.
- Data Deletion: PushAlert automatically deletes data on expired endpoints and customers have complete control over their data. They can unsubscribe at any time from their browser and their data would be deleted from our systems.
- Data Retention: Our users can use the account features to remove or update their data. We have also decreased our data retention time of deleted data to 90 days.
- Granular control over the subscriber data collected through Privacy Settings.
- Enable subscribers to exercise their rights with regards to their personal information stored by you on PushAlert servers using Notification Preferences:
- Right to access personal information
- Right to get (any) personal information deleted
- Right to withdraw consent
We will update this page with the roadmap of our changes and how you can leverage these to become GDPR-compliant.
Feel free to reach out to us if you have any questions about the GDPR – we’d be happy to chat about it. You can also reach out to us on email on firstname.lastname@example.org
Last Updated: May 25, 2018