The General Data Protection Regulation (GDPR), is a European privacy law approved by the European Commission in 2016 and will go into effect May 25th 2018. The GDPR will replace a prior European Union privacy directive known as Directive 95/46/EC which has been the basis of European data protection law since 1995. The GDPR is an attempt to strengthen, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right. The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and remove personal data. In a nutshell, it's giving EU citizens and residents control over their personal data while simplifying the regulatory environment for international business that takes place in the EU.
The Data Protection Principles include requirements such as:
We created a Data Processing Addendum (DPA) for our customers who collect data from folks in the EU. Our DPA offers contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers. There will be no action needed on the part of our current Localist customers.
To guarantee no terms are imposed on us beyond what is reflected in our DPA and Terms of Service, we cannot agree to sign customers' DPAs.
If you have any questions or concerns please let us know.
We have a core team of leaders from each area of the Localist business, headed by our internal Data Protection Officer (DPO). The representatives in this group are the project managers who will ensure all the requirements of GDPR are covered from Marketing to Engineering to People Ops. The team meets weekly.
We've created a Cookie Policy to provide you with complete insight into what is being set when you visit our site and how it's being used. On our cookie policy page you can also read about steps you can take in order to control how your browser handles cookies.
We have reviewed and identified all the areas of Localist where we are collecting and processing customer data; categorizing and taking inventory of everything from cookies to support conversations. Using this matrix we have validated our legal basis for collecting and processing personal data and double checked that we are applying the appropriate security and privacy safeguards across our entire infrastructure and software ecosystem. Our Privacy Policy identifies what we are doing with the data we collect and how we manage consent.
We are in the process of reviewing our list of 3rd party vendors and performing a deep review of their GDPR compliance. We already have DPAs in place with most of our vendors who offer a signed version, while others are taking the same approach as us and having the DPA be automatically accepted as part of the Terms of Service on May 25th.
At Localist we practice transparency internally and we believe that transparency extends to our customers. With our updated Terms of Service and Privacy Policy we openly describe what personal data we are collecting, processing, why, how we use it, who we share it with and how long we store it. We have always made an effort to keep the language in our Terms of Service and Privacy Policy as clear as possible and we have updated these notices to describe how we are respecting and protecting your personal data. We hope you find it concise, transparent, intelligible and easily accessible.
We are committed to helping our customers meet the data subject rights requirements of GDPR. Localist processes or stores all personal data in fully vetted, DPA compliant vendors. We do store all event content and personal data for up to 6 years unless your account is deleted. In which case, we dispose of all data in accordance with our Terms of Service and Privacy Policy, but we will not hold it longer than 60 days.
We are aware that if you are working with EU customers, you need to be able to provide them with the ability to access, update, retrieve and remove personal data. We got you! We've been set up as self-service from the start and have always given you access to your data and your user data. You can search for and delete any end-user profiles through our admin UI. If you need to export your end users data in a computer-readable format you are able to do so through our API.
Having a managed data protection impact assessment (DPIA) process is a requirement for GPDR. A DPIA process is simply a way to help us identify and minimize the data protection risks of a project. The Localist engineering team has always undergone security and privacy due diligence when making tooling and implementation decisions, so this requirement is an easy one for us. Any time we introduce a change to the way we handle personal data, we spend time discussing the potential impact on customers of Localist and possible privacy and security risks to personal data. If any risk is identified, no matter how small, our product and engineering teams collaborate on a solution that will mitigate the data privacy and security risk to anyone who interacts with the Localist platform. We will continue to execute this risk assessment process as we expand Localist offerings.
We already have a breach management and communication plan in place to support the requirements of HIPAA. We have updated this existing process to comply with the GDPR regulations concerning the escalation process and requirements for data subject notification.
