Data and its protection are becoming increasingly more important to individuals and enterprises. As you most likely know, the European Union (EU) enacted the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) which has been enforced since May 25, 2018. The GDPR is designed to give EU residents better control over their personal data regardless of where data is sent, processed or stored by establishing one set of data protection rules across the EU.
We want to provide all of our clients – across the globe – with more transparency and information about our GDPR journey and how we process EU residents’ personal data.
First and foremost, we are committed to protect your personal data and committed to GDPR compliance.We have analyzed the GDPR requirements to determine which articles impact us, our data partners, vendors and customers. We continue to work together with our privacy counsel and monitor any changes in applicable legislation and the guidance provided by the European Data Protection Board to ensure we stay on top of the policies and procedures as they evolve.
For further background on our compliance, please see below. We have already taken these steps to be compliant:
- Updated our privacy policies and cookie statement to be fully transparent on what personal data we process and what we do with it.
- Incorporated data protection impact assessments into our product management process.
- Received legal counsel and expert advice to help us fine tune our compliance strategy and plan. We have trained key personnel on GDPR and appointed a GDPR-certified DPO.
- Completed a data inventory, mapping and networking exercise to ensure we understand the types of personal data we process, lawful reason we use to collect the data, where the collected data is stored and security measures used to protect it.
- Ensured that the data centers we use have the necessary data security requirements and controls in place to protect our customer data, including the ISO 27001 certification. Our servers also have redundant multi-factor authorization requirements for physical access to the facility housing the systems.
- Put strong data protection controls in place, which include encryption in transit of customer data, to safeguard data subject’s data from unintended disclosure or misuse. We also maintain incident response and notification processes and perform periodic code scans and penetration tests.
- Created processes to execute data subject requests and to safeguard other rights of data subjects in an expedient and accurate manner.
- Updated our retention policy and assessed the possibilities to limit the personal data we process.
- Drafted a Data Processing Agreement, which we can share with our clients when necessary (please ask your Account Manager for a copy).
- Put in place appropriate consent processes when consent is used as our legal base for processing personal data. This includes, among others, European journalists in our Influencer database.
To give you a better understanding of who is the controller and processor when it comes to personal data processed by us, we have defined these processes below.
We are the data controller when processing the following personal data:
- Employee and applicant data, where our processing is based on consent, contract and/or legal obligation.
- Journalist’s personal data stored in our Influencer database, where our processing is based on consent and legitimate interest.
- Marketing database, where our processing is based on consent
- Personal data in the news and social content we provide to our clients, where our processing is based on legitimate interest.
We are the data processor when processing the following personal data:
- Customer data (including user data, Imported journalists and newsletter recipients), where our processing is based on the contract between us and our customers.
We understand compliance is a shared responsibility with our customers and everyone else involved. We are committed to partnering with you to help you successfully comply with the GDPR and understand how our processing impacts you. Should you have any questions about our compliance plan, please reach out to your Account Manager or our Client Acquisition team, should you not yet be our customer.