#SocialHour: GDPR Compliance
• May 23, 2018
Carmen Shiu is a six-year CLEVER veteran, project manager, and product developer. She works closely with our tech team and our social media partners to ensure we have the latest understanding and solutions for addressing 1st, 2nd, and 3rd party platform updates.
Today’s installment is all about GDPR. What is it? Why is it important? What does it mean for us and our network?
What is GDPR? A legal framework that sets guidelines for personal data collection and how it’s used for people in the EU, beginning May 25, 2018.
YES! WE ARE GDPR-COMPLIANT!
WHAT IS GDPR?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU), which goes into effect on Friday, May 25, 2018.
Under these terms, organizations must ensure that the personal data of EU citizens and residents is gathered, stored, and processed legally, and under strict conditions. In addition, those who do collect and manage such data must protect it from misuse and exploitation. Otherwise, such organizations will face penalties/fines.
Check out this ZDNet article for more in-depth info about GDPR.
WE’RE CLEVER & WE’RE GDPR-COMPLIANT!
While CLEVER does not collect or process any personal information subject to GDPR, nor do we offer goods or services to EU residents or citizens, we are taking all the extra measures to ensure that we are covered and compliant anyway, including:
Auditing data security of all of our systems
Anonymizing, pseudonymizing, and/or encrypting personal information where needed
Updating our privacy policies & TOS
Auditing data from contact forms on our websites
Ensuring compliance of all tracking & metrics plugins/pixels
Not storing blog post comments that might contain personal information
Ensuring compliance of our online website chat
Issuing an updated NDA to cover CLEVER staff usage of data
Furthermore, we are compiling GDPR data processing agreements from all of our vendors.
WHAT ABOUT OUR NETWORK?
Overall, our North American influencers do not have anything to worry about when working with us. While GDPR applies to the collection of site metrics (IP Addresses) for those sites who have visitors from the EU, our systems and Pixel are compliant.
However, because we do not do business in the EU, supporting membership for members who reside in the EU has significant costs and legal requirements, and since only 0.1% of our membership resided in the EU, we have removed EU members from our network. We will no longer be accepting applications from EU influencers, or citizens of other countries that have reciprocal GDPR laws, and any data provided by those applying will be removed immediately.
BUT HOW ARE WE COMPLIANT FOR MEMBERS?
While we do collect personal information (e.g., names, email, addresses, phone numbers, demographics) from our members, we use that information for the sole purpose of program selection and execution. We share that information with third-party services only when necessary for membership maintenance and program execution (e.g., when we use MailChimp to send emails, when clients ship products to members, and for clients to review applicants for program selection). Information is never sold—especially not without the members’ explicit consent.
We are also adding GDPR-compliant data download and account removal features to the DASH, the CLEVER member dashboard. Additionally, member data is retained in backup archives in encrypted form for up to 30 days.
The CLEVER Pixel:
The only personal data the CLEVER Pixel collects are IP addresses, which is okay because…
The data we collect from the Pixel is never used to identify individual people, nor combined with other data for that purpose; AND
Pixel data is aggregated and only used to determine blog traffic levels; PLUS
Access to this data is strictly controlled and restricted to the members of our tech team responsible for our metrics systems; ALSO TOO
We anonymize and/or psuedonymize Pixel data as outlined by the GDPR; BUT ALSO
Any IP address data archived for business continuity reasons is encrypted and kept for no more than 90 days
Lastly, CLEVER does not share any IP address data collected from the Pixel with any outside entity.
If clients provide pixels for influencers to implement into their blogs or blog posts, such pixels must be GDPR-compliant, and be agreed to and implemented by, individual bloggers.
Other Audience Data:
CLEVER enriches member profiles with information about their social channel audiences. The data we use for this is public, anonymized, aggregated and comes from partners who are themselves GDPR-compliant. Audience data can not be used to identify or track any individual audience members.