What is GDPR?
The General Data Protection Regulation is a rule passed by the European Union in 2016, setting new rules for how companies manage and share personal data. In theory, the GDPR only applies to EU citizens’ data, but the global nature of the internet means that nearly every online service is affected, and the regulation has already resulted in significant changes for US users as companies scramble to adapt.
The GDPR enforcement puts the control of personal data collected by businesses in the hands of the individuals it belongs to, protecting the rights of EU residents. The regulation delineates individuals’ rights to access, rectify, and restrict the processing of personal data, among other key provisions, and aims to unify privacy and security laws for all organizations operating within the EU.
In the context of this document, we will be focused on how to implement the different rights once invoked by the Data Subjects.
Nomenclature
- Data Subject - End Users
- Data Controller - Upshot.ai Customers
- Data Processor - Upshot.ai
Data Subject Rights
Contractual Obligations
- What is it?
This right allows end users to delete all information about them from Upshot.ai servers.
- Upshot.ai Implementation
“Please refer to SDK and Enterprise API document.”
NOTE: When a user’s profile is deleted, no future data is tracked about the user. If the data subject wants to start sending the data again, then Data Controllers have to ensure that the appropriate APIs / methods in the SDK or the Enterprise APIs are invoked. If this is not done, Upshot.ai will never receive ANY data of the said user again.
- Access Control
Data controller can issue Disable / Enable/ Opt-out / Opt-in calls on behalf of data subjects via SDK/ Enterprise APIs. Data subjects should not invoke these APIs directly.
- Implications
- The data controller will have to stop sending future data of the profile, thus being suppressed.
- Once a data subject hits delete for a profile, all data coming from any device associated with the data subject will also have to be stopped. Upshot.ai SDKs have the information on which data subject has invoked the delete request and make a best-case effort to NOT send any data about that data subject to Upshot.ai servers from any device the subject uses.
- Unreachable on Marketing Channels
- Since the data of the data subject is deleted, there is no way to reach out to the data subject on marketing communication channels.
- Dashboard Implications
- You will not be able to view the profile page of the said user post deleted.
- You cannot roll back erase once called. There is no way to get the information back once the delete function is invoked.
- The actual erasure can happen anytime within 30 days of the request, but this usually gets honored within 24hrs in most scenarios.
- Funnels, segments, campaign stats, reports, and other analytics will be impacted as the numbers may show some data inconsistency.
- Users cannot download the profile information of the said user from anywhere on the dashboard.
- Default state
The profile will be erased only by explicitly calling the appropriate method in the SDK or the enterprise API.
Right to Modify/Rectify
- What is it?:
This right allows users to modify/rectify any profile data stored about them.
- Upshot.ai Implementation
- API Upshot.ai has provided this API which allows Data Controllers to upload profile information of their users. Hence, if a Data Subject requests a profile change, the Data controller can upload the profile data of the user via the API
- Via SDK Data controller can also use the existing SDK methods to update the profile info of the data subject.
- Access Control
TEnterprise API can be accessed by any entity that has access to the credentials. The responsibility of safeguarding the API credentials solely lies with the Data controller.
- Implication
The old profile information will be overridden with the new profile for the given user identifier. Data controllers can only update the user profile information of an existing data subject, and no new profiles can be created.
- Default state
The profile will be modified only by explicitly calling it via API/ the appropriate method in the SDK.
Right to Access
- What is it?:
This right allows users to access data that has been captured/ received about them by the Data controllers and Data Processors (On behalf of data controllers).
- Upshot.ai Implementation
API Download This API allows data controllers to invoke data download requests about specific users via identities( AppUIDs)
- Access Control
Enterprise API can be accessed by any entity that has access to the credentials. The responsibility of safeguarding the API credentials solely lies with the Data controller.
- Implication
The download will download the latest profile of the said user.
- Default state
The profile will be downloaded by explicitly calling the download API
Right to Data Suppress (Opt Out)
- What is it?:
This right allows users to opt-out of sharing any data with Data Processors.
- Upshot.ai Implementation
- Via the latest SDK (v 1.4)
- In this scenario, the data controller should set the data Opt-out flag in the SDK for the appropriate user. Refer to the SDK documentation for more details.
- The data controller can still send campaigns to these users based on the past data captured prior to this request.
- If the data subject logs in from multiple devices, data controllers must ensure that this flag is set appropriately across all devices.
- If multiple data subjects log in to the same device Data controller needs to validate the user’s identity and ensure that this flag is set appropriately across all logins.
- Access Control
If the SDK has been updated and the updated version app is being used by a user, all end users have the right to opt-out using the mechanism provided by the controller.
- Implication
- The profile page of the user who has opted out will be stale and will not have the latest events performed by the user.
- While creating segments, funnels, and reports, past data of the opted-out users will still be considered based on the date ranges selected. Appropriate care must be taken while creating segments that might include profiles of Opted out users.
- Default state
- By default, we will continue collecting profile and event data unless the SDK explicitly raises the flag.
- Default state: opt-out: disable, i.e., we will collect data from the device by default (to be compliant with GDPR, we recommend that users set this flag to enable by default which ensures no collection of data unless explicit permission is provided by the end users).
Opt-In
If the user who has opted out chooses to opt back in, all data will be appended to the same profile if identified as an existing user.
The user will be treated as the same user (we will not create a new profile for the user).
What is it? GDPR provides the right to the user to opt-out of marketing communication.
- Upshot.ai Implementation
- Push opt-out - Our SDK has a flag ‘pushOptout,’ which, if set to yes, will ensure that push notifications are blocked for the specific device. When this flag is set to yes for a specific data subject identity, Upshot.ai will suppress all the devices associated with the data subject.
- SMS opt-out - Our SDK has a flag ‘SMS opt-out’, which, if set to yes, will ensure that SMS notifications are blocked for the specific data subject. When this flag is set to yes for a specific data subject identity. Upshot.ai will suppress all the phone numbers associated with the data subject.
- Email opt-out - Our SDK has a flag ’email opt-out’, which, if set to yes, will ensure that email messages are blocked for the specific data subject. When this flag is set to yes for a specific data subject identity, Upshot.ai will suppress all the email addresses associated with the data subject.
- Access Control - If the SDK has been updated and the updated app is being used by a user, all end users have the right to opt-out of Marketing.
- Implication - If the data controller wants users to be opted out of marketing communication across ALL channels, all the above flags need to be explicitly moved to the yes state for the said data subject. b. Data Controllers need to be cognizant of sending transactional communication to the users who have opted out of marketing.
- Default state -
By default, we will continue marketing communication to said users unless the SDK explicitly raises the flag. b. Default state: no, i.e., we will send marketing messages by default.
- What is it?
Part of the privacy by design notion of GDPR.
- Upshot.ai Implementation
- Upshot.ai does not capture any network IDs and does not report any network stats. However, it captures IP addresses to enable security-related operations (for example: Identifying and preventing DDoS attacks).
- If the data subject does not wish to enable IP-based geo-tracking, then the data controller needs to set “ipOptout” to yes using the latest version of SDK.
- The data controller and data subjects can still send location data (where applicable) to Upshot.ai through regular GPS-based location tracking.
- Implications
- This may affect sending out geo-targeted campaigns.
- This may affect your ability to perform geo-based analytics.
- Access Control
If the SDK has been updated and the updated app is being used by a user, Appropriate flags can be set via the SDK.
- Default State
IP opt-out is set to no by default.
- What is it?
Part of the privacy by design notion of GDPR.
- Upshot.ai Implementation
- Upshot.ai does not capture ADID by default however data controller can send this information to the SDK with the data subject’s approval.
- Necessary opt-outs should be handled by the controller in case of data subject’s preference changes.
- Implications - None
- Access Control
No changes in SDK are required, and it works as is.
- Default State
ADID is never collected by default by Upshot.ai SDK.