Intempt has made several product updates to allow our customers to use Intempt and comply with GDPR, including an API for user deletion and data export functionality. We have also updated our client-side SDKs so our customer’s website visitors can opt out of being tracked. Intempt’s team of privacy and security experts have been working hard to ensure we provided the tools our customers need and to ensure we can comply with our obligations to our customers.
On May 25, 2018, the General Data Protection Regulation (“GDPR”) will take effect. As the most significant data protection regulation in twenty years, the GDPR replaces the EU Data Protection Directive and seeks to strengthen individual rights while harmonizing the patchwork of data protection laws throughout Europe. The GDPR regulates the “processing” of personal data, which is defined very broadly, of any EU resident, regardless of where the processing takes place. Failure to comply with the GDPR could result in heavy fines: up to €20 million or 4% of worldwide revenue. Below we’ve provided the details on the changes we’ve made and links to our product updates and GDPR resources.
The GDPR grants broad rights to individuals with regard to their personal information and who has access to it. The GDPR, therefore, provides individuals (known as “data subjects”) with the “right to be forgotten.” In practice, this means organizations must now comply with a data subject’s request for access to his/her personal information in order to correct, delete, or retrieve such information. As a data processor for our customers, we have built tools that will allow us to assist our customers in complying with these data subject requests.
First, our client side SDKs have been updated to provide more robust opt-out methods that will opt users out of tracking on both the API and cookie level. While customers are still responsible for ensuring they have a lawful basis for processing (i.e. consent, legitimate interest) from their end users.
Second, we have developed deletion and export tools for end user data to provide our customers with the tools they needed to respond to deletion or access requests. Third, we’ve updated our customer data retention period to a default period of five years for visitor data. Among other obligations, GDPR limits the time period in which an organization may retain data to “no longer than is necessary for the purposes for which the personal data are processed.” Intempt has historically allowed customers to retain data indefinitely. In developing this new policy, we were mindful of our customers’ needs for historical data while also trying to balance the rigorous data storage limitations in the GDPR which is why our default retention period will be five years. You can find more information on the details on our retention policy, and the options available to customers, in our Help Center. If you have any questions you can always reach out to firstname.lastname@example.org.
Finally, as we discuss in more detail below, we wanted to make sure we tightened up controls around who in Intempt has access to the data our customers send into Intempt. To do that, we audited our systems and access permissions to ensure that only those we designated as a “need to know” are able to access the data sent into Intempt.
As a data processor under the GDPR, we are responsible for the subcontractors we retain to help us provide our services. To support delivery of our services to customers, we engage certain vendors who help us process our customers’ data. Some of these vendors provide our data storage and infrastructure and are an integral part of the services we provide while others provide important account management assistance. We know we have an important responsibility when it comes to scrutinizing these subcontractors which is why our Vendor Risk Assessment program requires each subcontractor to undergo a rigorous review to ensure each has the required technical and organizational expertise and measures in place to deliver an appropriate level of security and privacy. We have developed an internal map of all customer data flow in connection with our subcontractor review to ensure GDPR compliance, which include our requirements to assist with data subject access requests.
A list of our subcontractors can be found here and is also linked to in our Data Processing Addendum that is publicly available. As noted in our DPA, if a customer requires prior notification of any updates to the list of subcontractors, that customer can request notifications of those updates by emailing email@example.com.
The GDPR requires controllers and processors of personal data to “implement appropriate technical and organisational” measures to ensure a level of security appropriate to the risk. Intempt uses Amazon Web Services (“AWS”) as its third-party cloud storage subcontractor and does not host customer data on its premises. AWS is a leading cloud provider, and holds industry best security certifications, such as SOC2 and ISO27001, and provides encryption in transit and at rest, without any action required from our customers.
For Intempt employees, access rights and levels are based on job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. Additionally, all Intempt employees must abide by multiple policies about handling customer data securely and protecting customer data.
At least annually, we invite an independent, third-party auditor to run penetration testing. Additionally we run scans for software vulnerabilities and have an event management infrastructure, which provides 24x7x365 monitoring and alerting for incidents in our networks and systems.
Intempt customers can access product features and configurations to further protect personal data against unauthorized or unlawful processing. You can read more about our commitment to security here.
At the end of the day, GDPR has forced organizations to be more thoughtful in their approach to the collection and processing of personal data, which we welcome and embrace. We have appointed a Data Protection Officer (DPO) to guide Intempt’s global privacy program and ensure that Intempt complies with its obligations under GDPR and other privacy regimes. Our DPO will help the teams at Intempt work through the Data Privacy Impact Assessment process (as required by Article 35 of the GDPR) to recognize and minimize data protection risks. When you are entrusted with the data that our customers entrust to us, Privacy by Design should be an integral part of your product engineering, as it is at Intempt.
If you would like more information or have follow-up questions please reach out to us at firstname.lastname@example.org.