GDPR

What constitutes personal data?

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

This definition covers a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

This means that these types of data will now be subject to fairness, lawfulness, security, data export and other data protection requirements just like every other type of ‘ordinary’ personal data.

Personal data that has been pseudonymised – for instance, hashed or encrypted – may also fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

What is GDPR and why is it important?

The General Data Protection Regulation (GDPR) standardises data protection law across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information (PII). It also extends the protection of personal data and data protection rights by giving control back to EU residents. The GDPR replaces the 1995 EU Data Protection Directive and comes into force on May 25, 2018. It also supersedes the 1998 UK Data Protection Act.

The GDPR is important because it improves the protection of European data subjects’ rights and clarifies what companies that process personal data must do to safeguard these rights. It’s essential to be prepared for the GDPR as there will be obligations on companies handling EU data and there could be fines or further consequences if data protection standards are not up to scratch.

What should I do to ensure my app is compliant with the GDPR?

Depending on whether your app allows users to manage their account and complete the checkout process within the app will determine the action you may need to consider taking to ensure compliance with the GDPR.

Guest only apps where users navigate to your website to manage their account or complete the checkout process do not involve storage of any personal data. For such apps, Poq acts as a data processor, which you may wish to state in your own privacy notices.

For apps that allow users to manage their personal profile, Poq will process a user's registration and account details via secure HTTPS API calls. In the event an API call fails, we will log the details of the failed call including the user’s details and this data will automatically be deleted after a maximum of 90 days.

Apps that allow users to complete the checkout process natively within the app involve Poq holding the users' details in a secure server, therefore, acting in the capacity of the data processor, again you may wish to state this in your own privacy notices.

In order to comply with the GDPR, Poq will be defaulting any marketing preference toggles to opted out for new apps, which will ensure users actively need to opt-in to any marketing activity. We would recommend clients review the current settings for their own app and advise Poq should they wish to make any changes.

For new account registrations within the app, a standard message in relation to the acceptance of Terms and Conditions and Privacy Policy will be added above the registration button. This message will advise users that the creation of an account confirms their acceptance of the Terms and Conditions and Privacy Policy. Again, we would recommend clients review the current settings for their own app and advise Poq should they wish to make any changes.

For existing apps, we will only make changes including the ones listed above based on client instruction. Should you wish to default existing marketing preference toggles to opted out, and include a message in relation to the acceptance of Terms and Conditions and Privacy Policy, Poq will action these changes free of charge.

We will only make changes beyond those mentioned above on your instruction and will review any specific requests on an individual case basis around effort and pricing.

What is Poq doing to be GDPR compliant?

We take our responsibilities under the GDPR seriously and welcome it as an important step in streamlining data protection across the EU. We have embarked on a programme to identify which measures we need to implement to be compliant with the GDPR and are working to implement them in time for May this year. Here is a summary of what we’ve done so far:

We conducted a data-mapping exercise that tracks personal data flows throughout our systems. We underwent an external readiness assessment with a leading security consultancy to find any gaps. We created an internal roadmap based on the gap assessment to work towards compliance with the GDPR by 25 May 2018. We have done an internal training programme so that employees are aware of what the GDPR requires. We’re updating procedures to deal with some key data subject rights, like subject access requests and the right to request deletion. We're reviewing our key third-party sub-processor arrangements to make sure we have the appropriate contractual protections in place to satisfy the GDPR requirements. Some of the key items we will be working on over the coming months are:

• Integrating privacy by design into system and product development, including through the creation and implementation of data protection impact assessments.
• Updating our external- and internal-facing policies to be compliant and publishing those policies ahead of the GDPR effective date.
• Developing a compliant data retention policy.
• Updating our existing data breach procedures. Finalising our data maps and data-processing records.

The GDPR will come into effect on 25 May but businesses will need to continue monitoring and adapting their data protection policies and technology to remain compliant beyond this date, as such Poq will conduct regular reviews of our data protection policies and technology accordingly.