- What is the General Data Protection Regulation (GDPR)?
- Will Bound be compliant with the General Data Protection Regulation (GDPR) on May 25, 2018?
- Will our customers be able to use Bound products and services without risking a breach of the GDPR?
- What are the roles within GDPR?
- How exactly does Bound comply with the GDPR?
- Will Bound’s approach to the GDPR change at a later date?
- Beyond the products and services, Bound has prepared for the GDPR by adjusting some of our processes and legal agreements. Which ones?
- Do these changes affect Bound customers in any way?
- Will this work impact Bound customers’ current (or planned) integration in any way?
- For those of you saying, “Wait, what is the GDPR?”
What is the General Data Protection Regulation (GDPR)?
GDPR is a European Union (EU) law that regulates the collection and use of information of EU Website visitors. The GDPR applies to all 28 European Union (EU) member nations as well as Iceland, Norway, and Liechtenstein, non-EU nations that are part of the European Economic Area (EEA). For now, the United Kingdom is also subject to the GDPR, but that could change as Brexit is finalized. The GDPR is enforced starting May 25, 2018. Virtually every company Bound works with is impacted by GDPR. We recommend that you coordinate with legal counsel to understand how your business achieves compliance.
Will Bound be compliant with the General Data Protection Regulation (GDPR) on May 25, 2018?
Yes. Bound is compliant prior to May 25, 2018, the date the GDPR comes into force.
Will our customers be able to use Bound products and services without risking a breach of the GDPR?
Yes. Bound reached GDPR compliance prior to May 25, 2018. However, it’s critical to note for our customers to whom the GDPR applies, Bound on its own does not make your business compliant. You will need to make certain your own business is compliant with the GDPR. If your businesses is not compliant, you still risk a breach of the GDPR by using Bound products and services — even though we are compliant.
What are the roles within GDPR?
Under the GDPR, the “Data Controller” has the relationship with the Website visitor who is within the EU. In our relationships, Bound customers are Data Controllers and Bound is the “Data Processor”. Thus, we process data on behalf of our customers, the Data Controller, who has the primary and direct relationship with the EU Website visitor.
As part of our contractual relationship with our customers, Bound enters into a Data Collection, Processing, and Retention agreement for operating under the GDPR.
How exactly does Bound comply with the GDPR?
Bound’s policy is simple and straightforward: starting May 25, 2018, Bound will be using GeoIP lookup, and/or cookie based data, to identify a Website visitor’s location. If the Website visitor is identified as being in the European Union (EU), Bound will not process, store or track the user’s data. Instead, upon EU location determination, Bound serves only default content or randomized content to the EU visitor. For auditing purposes, Bound securely logs only the visit containing the identification mode (GeoIP or cookie), a date and time stamp, and the associated “do-not-track” values required to demonstrate that we are compliant with the GDPR.
If our customers have a need to continue personalization for EU Website visitors, we can personalize if our customers complete our GDPR addendum confirming the customer is compliant and that they are handling all consent management with their EU Website visitors.
Will Bound’s approach to the GDPR change at a later date?
As with all things product and service related, Bound is always working to evolve. As the roles, strategies and technologies related to GDPR change, we anticipate that we will too. Any changes made to our approach will be clearly detailed for our partners and customers in advance, giving them the ability to select their preferred method of interaction with their Website visitors.
Beyond the products and services, Bound has prepared for the GDPR by adjusting some of our processes and legal agreements. Which ones?
As anybody involved with GDPR has experienced, this is a massive undertaking touching almost every aspect of the business. To date, we have identified and/or addressed:
- Privacy by Design: We are always reviewing the way we design, build and implement updates and new products and services to ensure data privacy remains a core part of our decision-making processes at every level.
- Data Security: We reviewed and amended our data practices and policies to ensure our approach to data is compliant, consistent and clear across the Bound ecosystem.
- Working with Customers: We are working with our customers to answer their questions and adjust or supplement our agreements to ensure customers can use Bound in compliance with GDPR.
- Data Management: You and/or your Website visitors own the data, not Bound. We’ll take whatever data-related actions you or your Website visitors request.
- Data Processing: As the Data Processor, Bound has adjusted terms and processes to fulfill commitments to customers in their role as Data Controller. Bound has worked to ensure our terms and conditions contain provisions that are appropriate to the data we store, and balance the risks and responsibilities between us and our customers fairly.
Do these changes affect Bound customers in any way?
Yes. We have updated legal terms to bring them into compliance with the GDPR and those changes now apply to Bound customers. We recommend Bound customers read the updated terms because using Bound products and services after the updated terms have gone live will be treated as acceptance of those terms.
Will this work impact Bound customers’ current (or planned) integration in any way?
The answer is, maybe. If you opt for our default serving, our Customer Success Manager(s) will work with you to determine alternate analytic and personalization strategies in these scenarios and no additional legal agreements are required. If you have active campaigns running for visitors within the EU area, we will no longer process, track or store their data associated with their Website interactions — unless you have executed the addendum allowing Bound to personalize for your EU Website visitors.
For those of you saying, “Wait, what is the GDPR?”
The General Data Protection Regulation is a new European data regulation which will replace the current EU Data Protection Directive. The GDPR aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law. It is designed to give organizations a consistent framework on how personal data can be collected, processed, used, and shared across EU member states. The GDPR provides individuals with more control over how their personal data can be processed.