Security Issue

The European General Data Protection Regulation (GDPR) is a big topic, and it can be scary—especially if you’re not yet fully compliant. While Braze can’t provide legal advice to our clients or to anyone else, we can walk you through some of the main things you need to think about when it comes to GDPR, as well as the steps that we’ve taken to comply.

The European General Data Protection Regulation (GDPR) is reshaping the customer data landscape for businesses across Europe and worldwide—and raising the prospect of serious consequences for non-compliant brands.

GDPR is a big topic, and it can be scary—especially if you’re not yet fully compliant. While Braze can’t provide legal advice to our clients or to anyone else, we can walk you through some of the main things you need to think about when it comes to GDPR, as well as the steps that we’ve taken to comply.

THE BRAZE GDPR POV

Braze, the customer engagement platform that orchestrates personalized messaging for consumer brands like ABC News, Delivery Hero, Domino’s, and Microsoft, is well-positioned to safely navigate the changing data privacy landscape. At Braze, we believe in “security by design,” meaning that we have built security into the core of our product and have made it a key focus area since day one. We take pride in maintaining the highest standards of compliance with data protection regulations and security standards including: conducting third-party penetration tests, undergoing SOC II compliance audits, and partnering with our clients on GDPR.

Braze worked with one of the leading EU privacy and compliance firms to aid us in our preparations for GDPR. We are committed to ensuring ongoing compliance with data processor and controller obligations under all applicable data privacy regulations and have an extensive program in place for compliance with GDPR when the regulation becomes enforceable on May 25, 2018.

Security and privacy protections are never finished—they’re always ongoing. Braze always has been, and will continue to be, good stewards of our clients’ data. We will continually respond to new risks and regulations as they arise, always keeping trust and transparency at our core.

THE BASICS

What is GDPR?

The General Data Protection Regulation (GDPR) is a new European Union (EU) law passed on May 25, 2016, that creates stricter rules regarding the use of personal data of EU data subjects by organizations.

What rights do EU citizens have under GDPR?

Under GDPR, all EU data subjects will gain increased control over their personal data and how it’s collected and used worldwide. These new rights include:

Why did the EU pass GDPR?

To replace the Data Protection Directive (the Directive), an earlier guideline that serves as the basis for laws on personal data within the EU. The Directive was passed back in 1995, when the modern internet was still taking shape and the kind of data collection that smartphones and other mobile devices make possible today did not exist. The GDPR seeks to protect EU data subjects’ data and privacy rights in today’s mobile-first world. While GDPR was passed in 2016, organizations were given a two-year window to take the necessary steps to ensure that they fully comply with the new law by Friday, May 25, 2018.

Who has to comply with GDPR?

The regulation doesn’t apply to every organization—but it applies to SO MANY that there’s a serious chance that your organization is one of them. GDPR is written to be far reaching and applies to any company established within the EU, as well as any organization selling goods or services to people within the EU (or monitoring the behavior of anybody inside the EU, for that matter). That means that in addition to EU-based customers, prospects, or employees, anyone (regardless of nationality) who works in the global offices of an EU-based company or who has their data processed by a EU-based company while in the EU is covered by GDPR. So it goes without saying that the number of organizations who could be affected by this legislation is ENORMOUS.

Where should organizations start, when it comes to GDPR compliance?

The process is necessarily going to be pretty different for every organization—after all, what GDPR compliance looks like for you depends a great deal on how you’re currently using personal data. Here are some best practices smart brands are using that you can learn from. First, thinking through the ways that your brand collects, manages, and acts on information that’s considered “personal data” under GDPR, and mapping out how the new rules and restrictions impact how you do business. Second, seeking out expert legal advice—whether that’s from an in-house counsel, an outside lawyer or firm, or both. GDPR is a big, complex, and sometimes hard-to-understand regulation and organizations that design their compliance roadmap without sufficient legal guidance and oversight could be putting themselves in a very risky situation.

GDPR TERMS & DEFINITIONS

What constitutes “personal data” under GDPR?

Any piece of information that can be used, directly or indirectly, to identify a person is personal data. Period. That can be obvious identifiers like email addresses or ID numbers, but it also applies to more ambiguous data points like a given person’s biometric data, location information, IP addresses, and a lot, lot more.

What is a Data Protection Officer?

Under GDPR, the Data Protection Officer (DPO) is the individual tasked with overseeing guidance related to your organization’s data protection needs, and ensuring that the organization is in compliance with the regulation. The DPO can be an employee or an external consultant, and not every organization necessarily is required to have one.

TACTICAL MUST-KNOWS

What type of personal data can brands collect under GDPR?

Except for some special rules around data related to criminal convictions (which can only be processed by national authorities), GDPR doesn’t place specific limits on the kinds of personal data that an organization can collect. Instead, the regulation mandates that applicable organizations demonstrate that they’ve implemented what’s known as “data protection by design and default.” That way, protections for personal data are built into everything that organization does.

Does GDPR apply to organizations that only have locations in the U.S.?

Yes, it can. Ultimately, whether your organization is subject to GDPR isn’t determined by the location of your organization's offices—it’s about whether you’ve collected personal data when transacting or monitoring people who are in the EU. In general, if you collect or process EU data subjects’ personal data, you will most likely need to comply with GDPR. In addition, EU-based customers, prospects, or employees, anyone (regardless of nationality) who works in the global offices of an EU-based company or who has their data processed by a EU-based company while in the EU is covered by GDPR.

If an EU citizen is located outside of the EU, does GDPR still apply?

It may, if the organization processing their personal data is based in the EU.

If a non-EU citizen is located within the EU, does GDPR apply?

Most likely. You don’t need to be an EU citizen. If you’re resident or even visiting the EU and your personal data is processed by an organization established in the EU, the processing of your personal data is subject to GDPR. If the organization is not located in the EU but offering goods or services to you in the EU or monitoring your behavior within the EU, GDPR applies too.

Does GDPR apply to data collected prior to May 25th, 2018?

Very much so. There’s no clause in GDPR grandfathering data collected prior to the regulations’ implementation day—so whether you gathered personal data that is subject to GDPR on May 25th or all the way back in the 20th century, you have to treat it like any other personal data under the regulation.

When are you allowed to process personal data?

Under GDPR, the processing of personal data is only lawful when it falls under one of six approved justifications.

Can you get around GDPR by just encrypting personal data?

No. While GDPR encourages organizations to encrypt the personal data they process in order to safeguard people’s privacy, the regulation doesn’t require it, and simply encrypting personal data doesn’t change the fact that your organization collected and is using that personal data, which automatically requires you to comply with GDPR.

How about by making all of your content gated?

It’s fine, but you can’t have pre-checked boxes. Individuals must take action to consent, such as checking or ticking a box, rather than taking action to withdraw consent (like a pre-checked box or default). Withdrawing consent should be as easy for the individual as giving it.

GDPR RESPONSIBILITIES & CONSEQUENCES

What penalties do brands that fail to comply with GDPR face?

Really big ones. Organizations that fail to comply with GDPR can be assessed fines up to 20 million euros or 4% of their global revenue, whichever is greater. Whether you’re a massive global organization or a scrappy little startup, that kind of fine is going to sting. Remember, GDPR isn’t a suggestion, it’s the law for affected organizations.

Who’s allowed to file a GDPR complaint?

Under GDPR, complaints against organizations for failing to comply with the regulation can be filed both by individual EU data subjects and by supervisory authorities in EU member states. That means an organization that’s slow to respond to a individual’s request to have their data deleted could find itself facing significant financial penalties.

BRAZE AND GDPR: THE FACTS

When will Braze be GDPR compliant?

Braze is working with one of the EU’s leading privacy and compliance firms to ensure organization-wide GDPR compliance on or before May 25, 2018. Those efforts include an active partnership with our clients to ensure that they understand how Braze will enable them to comply with their extensive obligations as data controllers.

Is Braze a data processor or a data controller?

When it comes to use of our platform by Braze clients, those clients are the controllers and Braze is a processor—and that means that Braze will follow the instructions of its clients when it comes to the processing of personal data on their behalf. However, Braze is the controller when it comes to personal data that it collects from its own EU employees and from EU data subjects who visit the Braze website or have their data collected in other ways through our marketing programs.

Does Braze have data centers in Europe?

Yes. Braze uses AWS as its hosting provider, and allows clients to store their data either in the United States or in Europe. In Europe, data is hosted at a data center in Frankfurt, Germany, with back-up in Ireland. Braze will not transfer for storage any personal data from the country where it is originally stored.

Does Braze provide client-facing documentation about its GDPR compliance?

Yep! Braze has a GDPR Compliance F.A.Q. along with other related materials that are continuously updated to ensure that clients are able to understand Braze’s GDPR compliance.

How will Braze ensure that clients are able to comply with a data subject’s right of rectification, right to have their personal data deleted (including the right to be forgotten), and right of access under GDPR?

As a data processor, Braze is focused on automating—as much as is technically feasible—the ability of its clients to comply with the rights of data subjects under GDPR. For instance, Braze has already updated its platform so that clients can respond to requests of individual data subjects. As a data controller, Braze has put in place a data subject access request form for people to enforce their rights under GDPR.

Can clients use Braze to obtain the explicit consents needed for processing of personal data under GDPR?

In general, while Braze can be used by clients to send targeted messages to people who have engaged with their app or website, it’s up to clients to decide the content of their messages, who receives them, and all other elements of each of that client’s messaging campaigns. So, it’s ultimately a question for each client to determine whether that’s the way that they want to obtain consents from EU data subjects as required under GDPR.

How will Braze enable clients to stop collecting personal data from an EU data subject who has either not given consent to the processing of their personal data, or who has withdrawn consent?

Under GDPR, when an individual decides that they don’t want your organization to collect or use their data, in most circumstances you’re legally required to delete all the personal data you have on them. In a situation like that, it’s possible to configure the Braze platform to stop the collection of personal data from someone who hasn’t given consent for data processing (or who has withdrawn consent). That being said, it’s ultimately the responsibility of each Braze client under GDPR to obtain and document consent, or to determine another legally adequate justification under GDPR, before processing personal data from EU data subjects.

Will Braze be making updates to restrict personal data of our clients and their end-users from being available to its employees who don’t need it in their role?

It’s already the case that only Braze employees who need to access specific personal data in order to support the platform’s operations, to comply with applicable law, or as directed by clients, are allowed to access or process personal data of our clients and their end-users.

What product changes has Braze made to support GDPR compliance?

In particular, Braze has taken steps to allow clients to leverage the Braze platform’s REST APIs and SDKs to carry out more nuanced actions related to personal data. With Braze, it’s now possible to:

  • Export an individual customer profile and its related personal data via API, allowing our clients to comply with GDPR’s Right of Access and Right to Data Portability
  • Halt all processing of a given customer’s data via the Braze SDK and then delete that individual’s data via API, supporting compliance with GDPR’s Right to Erasure
  • Adjust information contained in a given user’s customer profile via API or SDK, in accordance with GDPR’s Right to Rectification
  • Mark individual profiles as unsubscribed from emails and push notifications via API or SDK, in order to comply with GDPR’s right to object

Will Braze be making updates to record the dates on which marketing consents were changed?

Actually, under GDPR, Braze clients are responsible for all record keeping related to when EU data subjects provided or revoked their consent, as part of their obligations as data controllers.

Will Braze ensure that its sub-processors are also in compliance with GDPR?

Because Braze is responsible for the acts and omissions of its sub-processors and for ensuring that they comply with GDPR, we’ve required all of our sub-processors to enter into contractual agreements mandating compliance with GDPR.

How will the Braze platform enable clients to comply with an end user’s request for data portability?

Braze already makes it possible for clients to export any and all data that they might have within the Braze platform, in order to support their unique data needs. However, while we’re glad to support the seamless movement of our clients’ data out of our system, the responsibility for making some or all of that data available to individual consumers in accordance with GDPR ultimately sits with our clients, not with Braze itself.

Does Braze have any other public-facing documentation about its GDPR compliance activities?

Definitely! Check out more GDPR information including the Braze GDPR Compliance F.A.Q. These documents are updated as necessary to enable our clients to understand and track the Braze GDPR compliance program.

Todd Grennan

Todd Grennan is a New York-based writer and editor. When he's not writing about mobile marketing, customer retention and emerging technologies for Braze (formerly Appboy), you can find him trying to read his way through every Wikipedia article related to World War II.