GDPR FAQ

This page contains the most common questions about the coming General Data Protection Regulation (GDPR). The GDPR regulation began enforcement on May 25th, 2018 after a two-year transition period. It is important to note that the GDPR is not a Directive, like prior privacy frameworks in the EU, but a regulation. This means that no legislation needs to be passed by the individual EU countries for the regulation to come into force.

The GDPR not only applies to organizations located within the European Union (EU), but will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding personal data of data subjects residing in the European Union, regardless of the company’s location.

Organizations can be fined up to 4% of their annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements. For example, not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.

The definition of personal data covered under GDPR is much broader than is generally considered to be the case in North America when discussing Personally Identifiable Information (PII). It includes any data that can be tied to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, preferences, or in some cases a computer IP address.

For the purposes of GDPR, PathFactory customers are considered the “Controllers” of the data captured by the PathFactory platform. They determine the purpose and means for collecting personal data, and are in full control of the usage of that data. PathFactory is considered the data “Processor” for our customers as our systems are processing the data on their behalf and only under their direction. PathFactory will provide all the functionality and controls that will enable our customers to use the platform in a GDPR-compliant fashion and to meet our obligations as a Processor of customer data.

We have implemented a process of internal workflows for receiving, tracking, executing, and replying to our customers for Subject Access Rights requests. Such requests will be handled in two primary ways. Manual execution based on a submitted support request and partially automated based upon a request to an API endpoint.

Yes. We have enhanced our cookie consent so that it can be used in a fully GDPR compliant fashion, while still allowing marketers to maintain a good customer experience for their audiences. These enhancements are easy to enable for your current and future Content Tracks as necessary and appropriate.

Yes, Amazon Web Services.

Assuming consent has been provided, visitor data is captured during the time a visitor is interacting with a PathFactory content track (the session), including IP address, geolocation, and firmographic data derived from the IP address. The visitor’s email address may also be captured depending on the link and channel from which they visited the content. If so configured by the customer, it is also possible to capture email address, phone numbers, physical address, and job role via form submission.

Yes, with industry standard AES-256 encryption.

Retained for a rolling 30 day horizon and is replicated in 6 different data centres.

Yes, there are daily backups located in Virginia.

Yes, it is in Virginia, and it is GDPR Compliant.

No.

Yes, if configured by customer (not on by default) to expire every 90 days.

Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. We will notify customers within 72 hours of first having become aware of the breach.