The European Union General Data Protection Regulation (GDPR) takes effect starting May 25, 2018. It is the greatest regulatory change in data privacy in the last 20 years, and will strengthen the security and protection of personal data for people residing within the member states of the European Union.
The most prominent feature of the GDPR, apart from its stringent stipulations, is its applicability to not just entities in the EU but those outside it as well. Any entity that processes personal data of an EU resident will fall within the ambit of the GDPR. In keeping with our commitment to the highest standards of privacy and security, WebEngage is ready for the GDPR. But that’s not all. As the core user engagement engine of your business, WebEngage is also committed to making it easier for you to comply with the GDPR by making tools and features available for you to use. We will support our customers in two main ways:
- Executing an updated Data Processing Agreement (DPA)
- New product capabilities which help you be compliant with GDPR requirements when your users request you to delete, suppress, update or export their data.
Our commitment to data security and privacy
If your business supplies goods or services to EU residents, or decides when, why and how user data is collected and processed, you’re considered a data controller. As a WebEngage customer, you likely perform one of the above activities and are a data controller under the GDPR. One of your requirements as a data controller is to only work with GDPR compliant data processors.
Businesses or vendors that process data on behalf of data controllers are considered as data processors. As a retention marketing platform that assists you in collecting and processing end-user information, WebEngage is considered as a data processor. As an independent platform that requires businesses like you to provide us with certain information about yourself before you can use our platform, WebEngage is considered as a controller. We are therefore ready for the GDPR as both.
Here are the initiatives for personal data protection that WebEngage is committed to, as one of your data processors:
- Executing a Data Processing Agreement: Personal data of users is going to be processed as per the terms mentioned in the Data Processing Agreement.
- Secure data transfer and storage outside the EU: Transfers of personal data outside the European Economic Area (EEA) are permitted as long as certain safeguards apply. WebEngage will protect any data originating from EEA in line with the principles laid out in the GDPR.
- Pseudonymisation of all personal information: Personal information of users is always processed by WebEngage in such a manner that the personal data can no longer be attributed to a specific user without the use of additional information.
- Technical and organizational security measures: WebEngage secures your data in transit, backups, and at rest using best-in-class encryption standards.
- Processing data according to controller instructions: WebEngage only processes personal data as per instructions from its customers, the controllers.
- Prompt data breach notifications: WebEngage will promptly inform you of any incidents involving breaches of your users’ data, along with necessary details pertaining to the same.
How we enable our customers to be GDPR compliant
If you collect data of EU residents (either by yourself or with the assistance of other data processors), you are likely considered a data controller. We are rolling out features that will help you comply with your users’ requests to exercise their rights as defined by the GDPR, thus assisting you in compliance as well.
New Product Capabilities
- Delete user data: You will be able to honor your users’ requests related to the right to erasure (right to be forgotten) by creating an erasure request using our REST API. Creating the the erasure request for a particular user ID will delete all the user data stored by WebEngage – both user profile (containing the user’s personal information) and events, including campaign and conversion data, if any. Also, any data which is received by WebEngage in the future and associated with this user ID will not be stored.
- Restrict user data processing: You can restrict the processing of user profile data for the users who exercise their right to object (the various rights to halt certain processing) or the right to restrict processing (the right to restriction) by creating a restriction request using our REST API. All processing will stop for restricted users: WebEngage will not store incoming data, no campaigns will be sent to such users and no new segments could be created with such users.
- Export user data: Users have the right to access and view all data pertaining to them (right to access, right to data portability). You can obtain user profile and events data by creating a portability request using our REST API.
- Rectify user data: The GDPR empowers users to have the data controller correct personal data concerning them which is inaccurate or incomplete (right to rectification). You can modify user profile data using the /users REST API call for any user ID.
Apart from the above capabilities, WebEngage will also allow you to manage the GDPR requests raised by you:
- Status of request: You can check the status of any of the open requests using the /opengdpr_requests/{requestId} API request.
- Delete request: You can delete any of the open requests only if they are in pending state using the /opengdpr_requests/{requestId} API request.
We have summarized here the rights of end users and how WebEngage helps you comply with their requests corresponding to these rights. You can use a tool like Postman to make the API calls mentioned in the section above.
We look forward to ensuring compliance with the GDPR and continuing our engagement with all our customers.
Join Pankaj Gautam and Madhav Rangrass for an exclusive webinar on June 12 to learn more about how WebEngage is 100% GDPR Compliant. Save your spot now!