GDPR is the enforceable regulation undertaken to ensure that companies improve their practices when it comes to the data utilised by brands.
We think it’s imperative that marketers understand what data they are using when creating ads and producing campaigns. All clients of CUBED are briefed on the data that we store about their marketing.
At no point and at no time does any form of PII (personal identifiable information) get stored in the CUBED database. No email addresses, names, physical addresses are captured. This on its own does not make us compliant with the regulations – which we will explain below.
**caveat – as much as we have spoken to a multitude of specialists, lawyers and other senior marketers a lot of the information about GDPR is still not fully digestible. The largest players in the marketplace (Google, Amazon, Microsoft,Facebook) are still working on their procedures and weekly are revising their approach.
So what is GDPR and why is it important for you to understand in the context of CUBED?
Firstly – the key date, GDPR becomes enforceable on May 25, 2018.
What is GDPR?
The General Data Protection Regulation (GDPR) (EU) 2016/679 is an EU law regulation on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU. It builds upon data rights that the EU has been pushing for, such as the right of an individual to be forgotten and the right to data portability.
Why the push for GDPR?
There are two main factors behind the introduction of GDPR. The biggest one is the EU’s desire to bring data protection law in line with how people’s data is being used, especially considering that some of the major firms (sales, shopping, social media) offer their services for free, as long as people offer their data to these tech giants.
Additionally, recently it has been highlighted in the news that offering out your data and giving permissions can have impacts that may not have been explicitly considered when granting that permission. The ongoing Cambridge Analytica scandal illustrates some of the troubles around consent not being truly informed, and that this could be used in ways people might not be so happy with.
The Cloud and some of the way the internet holds information has the potential to be exploited and this needs to be monitored, which is where GDPR plays its’ part.
The EU wants the legalities to be transparent and familiar, so by making it exactly the same as it is across all of its’ countries, there can be less confusion.
CUBED are a data processor, so it has always been of the utmost priority to look after the data.
What does a data processor mean – and why is it important.
A data processor is not in charge of why the data is collected in the first place, it just processes the data on behalf of the controller. The responsibilities held by the processor include the methods of collection, storage, security of personal data, mean of transferring data between relevant organisations, deletion/disposal of the data.
How do we collect and use data
CUBED gives easy access to all the information required by Articles 13 and 14 of the GDPR.
Where we store our data
We store CUBED data on Amazon hosted Web Servers who have their own very strict rules about data compliance. We hold data in the region relevant to each client (EU in EU, US in US etc.)
How do CUBED have so much insight but no PII?
The way we are able to do this is because we create customer ID’s which are arbitrary strings of numbers to anonymise the user attached the the customer and their journey details. That means anything that might be able to link to a person, for example a postcode or name are hashed and so nothing has any meaning relating to a person.
But you capture IP address, isn’t that PII?
We do capture IP addresses and use them to give us estimates of a user’s location. Similarly, IP addresses are sometimes used to remove traffic from our systems where a client of ours has decided not to track certain users on this basis. However, we never use IP addresses in conjunction with any other data to identify a customer, directly or indirectly.
For most users, IP addresses will change regularly, especially for those browsing on a mobile device. Therefore, there is very little we could personally identify about any user from this collected information.
How can a user opt out of being tracking?
Anyone can opt out of CUBED very easily (and has always been able to) using our tracking opt out – http://data.withcubed.com/optout
We take GDPR very seriously! If you have any questions or would like an update please get in touch by emailing firstname.lastname@example.org.