This page contains the most common questions about the coming General Data Protection Regulation (GDPR). The GDPR regulation began enforcement on May 25th, 2018 after a two-year transition period. It is important to note that the GDPR is not a Directive, like prior privacy frameworks in the EU, but a regulation. This means that no legislation needs to be passed by the individual EU countries for the regulation to come into force.
The GDPR not only applies to organizations located within the European Union (EU), but will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding personal data of data subjects residing in the European Union, regardless of the company’s location.
Organizations can be fined up to 4% of their annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements. For example, not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach, or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
The definition of personal data covered under GDPR is much broader than is generally considered to be the case in North America when discussing Personally Identifiable Information (PII). It includes any data that can be tied to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, preferences, or in some cases a computer IP address.
For the purposes of GDPR, PathFactory customers are considered the “Controllers” of the data captured by the PathFactory platform. They determine the purpose and means for collecting personal data, and are in full control of the usage of that data. PathFactory is considered the data “Processor” for our customers as our systems are processing the data on their behalf and only under their direction. PathFactory will provide all the functionality and controls that will enable our customers to use the platform in a GDPR-compliant fashion and to meet our obligations as a Processor of customer data.
Will PathFactory employ mechanisms for customers (users) of the platform to have a way to submit a Subject Access Request?
We have implemented a process of internal workflows for receiving, tracking, executing, and replying to our customers for Subject Access Rights requests. Such requests will be handled in two primary ways. Manual execution based on a submitted support request and partially automated based upon a request to an API endpoint.
Will there be a way to request and require the consent of a visitor before tracking and storing their personal data in the PathFactory platform?
Yes. We have enhanced our cookie consent so that it can be used in a fully GDPR compliant fashion, while still allowing marketers to maintain a good customer experience for their audiences. These enhancements are easy to enable for your current and future Content Tracks as necessary and appropriate.
Is PathFactory Hosted on a Cloud-based platform? If so which Cloud Provider?
Yes, Amazon Web Services.
What personal information is captured via PathFactory and stored in either in the application or in cookies?
Assuming consent has been provided, visitor data is captured during the time a visitor is interacting with a PathFactory content track (the session), including IP address, geolocation, and firmographic data derived from the IP address. The visitor’s email address may also be captured depending on the link and channel from which they visited the content. If so configured by the customer, it is also possible to capture email address, phone numbers, physical address, and job role via form submission.
Is the Data stored in the PathFactory platform encrypted?
Yes, with industry standard AES-256 encryption.
What is the retention period policy as of now for live data?
Retained for a rolling 30 day horizon and is replicated in 6 different data centres.
Is there any backup storage of Personal data? If so where are the backups located?
Yes, there are daily backups located in Virginia.
Is there a disaster recovery provision in Place? Is it GDPR compliant?
Yes, it is in Virginia, and it is GDPR Compliant.
Does PathFactory have any environments, other than a customer’s production environment, that contain personal information?
Is there a time limit for when passwords can expire?
Yes, if configured by customer (not on by default) to expire every 90 days.
In the unlikely event of a Data Breach occurring, how quickly PathFactory will notify Customers?
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. We will notify customers within 72 hours of first having become aware of the breach.
Do you have automated data cleaning which can be used to clean inactive visitors and set relevant timescales?
There is currently no automated data cleansing of inactive records but we are in the process of building new analytics functionality that will allow you to determine the “health” of your visitor database based on activity and create segments of visitors. We are considering the ability to add a feature that would allow an administrative user to purge/delete such an audience.