With our new GDPR Module, Xtremepush enables enterprise brands to achieve GDPR compliance.
What is GDPR?
GDPR is a new legislation which will be introduced unilaterally across all EU Member States in May 2018. GDPR specifies the roles, processes, and technology enterprise brands must have in place to ensure their data belonging to EU citizens is secure, accessible and is used with consent.
How Xtremepush can help achieve GDPR compliance
Xtremepush is a powerful platform which in itself addresses key GDPR compliance requirements.
Our architecture, controls and real-time auditing capabilities ensure that we are perfectly positioned to manage your GDPR data protection, consent and right to be forgotten requirements, via a powerful, secure and resilient platform.
Customer Consent Management
Enables real-time exclusion of Customer data across multiple channels, and an ability to manage Customer Consent not just at an individual level but also at a segment or group level if required.
Data Management – Self Service Portal
Allow your users to control their data – allow access to a self-designed, branded page where customers can edit and access their data permissions, message history, data analysis and request to be deleted.
Data Management – Request Management
Easy, quick and clear management page where enterprises can easily deal with management request from their users. Power to add notes to their profile or delete all their data, as per request.
Right to be Forgotten
The right to be forgotten is easily enabled through the Customer Consent Management Module.
Enterprise Grade Security
Independently assessed by financial institutions globally for risk and compliance.
Real-Time Auditing Capability
The platform has an inbuilt Real-Time Auditing Capability to report on Consent and PII data protection components.
Our Agile Platform (cloud or on-premise) has been built with data protection and privacy rights at its core by design.
Key Principles of GDPR
1. Personal Information Data and Security
- GDPR broadens the definition of PII data to include any information relating to an identified natural person
- Online identifiers such as IP addresses and location data are now deemed to be Personally Identifiable Data
- Personal data must be protected in a manner that ensures appropriate security of the data, protecting against unlawful processing, accidental loss or damage with appropriate technical and operational measures in place
2. Privacy By Design
- Data privacy is engineered across the life cycle of a product/service development
- The most strict privacy controls possible apply once a Customer acquires a new product/service with no manual privacy setting changes required.
- Standards and controls include the encryption and pseudonymization of PII Data.
3. Obligations of Data Controllers/Data Processors
- If you are a Data Processor and use data from a Data Controller for a purpose other than that intended by the Data Controller, you then become a Data Controller under the legislation.
4. Customer Consent
- A Customer must provide a statement or a ‘clear affirmative action’, which may include ticking a box on a website. However, pre-ticking of boxes or similar inactivity is deemed to be an unacceptable form of consent
- In addition, explicit consent is required for processing of special categories of PII data (e.g. ethnic origin, political opinions, trade union membership, religious data, biometric data)
5. Right to Be Forgotten
- A Customer can withdraw consent at any time, which should be as easy as ability to give consent
- At the request of the Customer, all Personally Identifiable Data must be destroyed and removed from data storage platforms.
6. Reporting, breach notification, and fines
- Where a breach of security leads to the release of identifiable PII data being disclosed, destroyed, lost, altered or stolen, the competent supervisory authority must be notified no later than 72 hours after the data controller has become aware of it
- If a data processor experiences a data breach, it must notify the data controller
- If a company is found to be in breach of the GDPR, it is liable for a fine of 4% of global annual turnover of €20m, whichever is the greater amount
7. Potential requirement for a Data Protection Officer (DPO)
- There are specific cases where it will be mandatory to appoint a Data Protection Officer (DPO)
- The appointment of a DPO is a pragmatic approach that ensures ongoing compliance monitoring, avoids the risk of breach and demonstrates best in class data management approach.