With the EU General Data Protection Regulation (GDPR) effective date nearing, we understand that you have some questions and concerns about how GDPR affects how we operate our platform and how we use your customer information.
What is the GDPR?
In 2016, the European Commission approved and adopted the new General Data Protection Regulation (GDPR). GDPR is a significant change in data protection regulation in the EU and replaces the existing legal framework (the Data Protection Directive and the various member state laws). It will come into effect on May 25, 2018.
Why is the GDPR Important?
GDPR adds some new requirements regarding how companies should protect individuals’ data that they process. It also raises the stakes for compliance by increasing enforcement and imposing greater fines for breaches. We are following the developments about GDPR and are taking the necessary steps to become compliant.
Does GDPR require that I store my information in the EU?
Under GDPR a company is allowed to transfer personal data outside of the EU provided that it puts in place a mechanism, approved under GDPR, to make sure that personal data is adequately protected even when it is transferred outside of the EU. The information that we collect for our platform (influencer and follower information) is collected only from publicly accessible .com websites which are generally located in the US. We do not collect information from EU based top level domains such as .fr, .de, .uk etc. Information about the followers is all aggregated and does not identify specific individuals.
We use the information provided by our customers only for the provision of our services to them and as may be necessary for compliance with applicable laws or to protect our rights. We are also in the process of self-certifying under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks which has been recognized by the EU authorities as a valid transfer mechanism for the information that we collect from you EU based customers
Does GDPR require that you get consent from the influencers to be included in your platform?
GDPR requires companies to have a valid purpose and a legal basis for processing personal information. Getting an individual’s consent for processing his or her information is only one of the legal bases available under GDPR. The personal information about influencers that we collect for our platform is all information which is publicly available, and, in many cases has been published specifically for marketing and publicity purposes. We process this information for our legitimate interest in providing the platform and related services to our customers and for our customers’ legitimate interest in marketing their products. We have conducted a legitimate interests analysis and apply appropriate safeguards to protect the influencers’ rights. For example, if an influencer wishes to be removed from our platform we do so.
What is HYPR doing to comply with GDPR?
We have implemented and are implementing changes
Our compliance, data protection, and information security teams are working to prepare our services for GDPR. We reviewed our data processing activities and are making changes with a view to have them in place by the GDPR effective date.
We use appropriate measures to protect your data
GDPR requires companies to use appropriate technical and organizational measures to protect information which identifies individuals from unauthorized access.
We use Hubspot, for our customer relations management platform that includes technical protections for the stored data. To read about Hubspot’s GDPR readiness efforts click here [https://www.hubspot.com/data-privacy/gdpr/product-readiness]. We limit access to our database only to those employees that need to access this information for the performance of their job duties. To process your payment information, we use Stripe, a reputable, PCI DSS certified provider,. Stripe is working to ensure its services are GDPR compliant by the effective date (see https://stripe.com/guides/general-data-protection-regulation#stripe-and-the-gdpr).
Our influencer platform database is stored on AWS, which provides robust technical protections for the data. We limit access to this database only to specific IP addresses that are under our control and belong to those employees that need to access this information for the performance of their job duties.
We are addressing cross-border data transfers
Like the Data Protection Directive that is presently in effect, GDPR includes provisions on international data transfer mechanisms. We use your customer data only as necessary to provide our services to you. We are also in the process of certifying under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, a mechanism that had been approved for cross-border transfer of personal data under the Directive and expected to apply under GDPR as well.
We do not knowingly process children’s information
GDPR requires companies that process the personal information of children under 16 to acquire the consent of their parents. All of our customers are over 18 and the information that we use for our platform is composed of influencers and followers who are generally over 18 as well. We are currently reviewing our database to assess whether there is data there of individuals who are under 16 and any additional safeguards we may be able to implement with respect to them.
We are addressing individuals’ rights with respect to their data
GDPR providers individuals rights in connection with the information about them that companies use. This includes the right to access a copy of your information, to correct the information, and in some cases, to object to the processing of the information or request that it be deleted. We already have processes in place to accommodate these rights and have been honoring them even prior to a GDPR requirement. We are looking closely as these processes with a view to make any changes required by GDPR.
We are here for you
We are working with our customers to answer any questions and address any concerns regarding how we protect their personal data and are gearing up for GDPR. If you have any questions, please don’t hesitate to contact us