Swrve will be fully compliant with GDPR on or before the key date of May 25th 2018. Swrve as a Data Processor has all the necessary systems and processes in place to support our customers (the Data Controllers) meet their obligations under GDPR.
If you are a Swrve customer and have any specific questions, you can contact your customer success representative or our GDPR hotline (firstname.lastname@example.org) at any time. We encourage you to do so!
What Is GDPR?
GDPR is the General Data Protection Regulation: a regulation in EU law on data protection and privacy for all individuals within the European Union. GDPR comes into effect on May 25th 2018. Put simply and in plain English, GDPR requires any organization holding any form of personal data relating to any EU citizen to meet certain obligations relating to the use and access of that data.
To get one important point out of the way immediately: it doesn’t matter where your business operates or stores data, if you have personal data relating to EU citizens you have obligations under GDPR.
So What Are The Obligations?
The obligations include, but are most definitely not limited to, the following:
- Confirming that personal data is held when asked by the relevant individual (ie the ‘owner’ of the data, or from here on and in GDPR terms the ‘data subject’)
- Sharing that data with the individual, in a ‘portable’ format
- Allowing any data relating to an individual to be deleted
- Allowing any data relating to an individual to be rectified if it is incorrect
- Allowing any individual to opt-out of any form of direct marketing
- Allowing any individual to opt-out of any personal data being processed
We’ll talk about all of these in a little more detail below but first let’s discuss roles and responsibilities before discussing how together we will make your organization GDPR-proof!
Data Controllers and Data Processors
GDPR makes a key distinction between these two roles in the management and processing of personal data. Again in simple language:
The Data Controller owns the relationship with the Data Subject and is ultimately responsible for making and policing decisions around how and why that data is processed. In most cases, if you are a Swrve customer the Data Controller in this context is you.
The Data Processor is any organization that handles and processes data on behalf of, and with regard to instructions from, the Data Controller. In most cases Swrve is the Data Processor.
Each role has their own responsibilities, but it’s important to understand that in most cases the Data Controller has legal liability under GDPR. However, as the Data Processor we at Swrve want to make sure your job is as easy as it possibly can be when it comes to being (and staying) compliant.
How Swrve Can Help
Firstly, Swrve as a platform incorporates “security by design” and “privacy by design”. We have always delivered an enterprise-class approach to these issues. More information on these topics is available here. Swrve has a data center within the EU (Ireland) and in all cases can ensure data relating to EU citizens never leaves the EU.
With regard to GDPR specifically, the following should be noted:
- Whilst it is the responsibility of the data controller to secure consent for personal data to be collected, Swrve can help with that process, both in terms of displaying interactive consent messages, and also ensuring that consent data is shared across channels, meaning you won’t have a requirement to ask in each individual channel.
- Swrve have processes in place today to provide Swrve data relating to any individual in ‘portable’ format, ensuring that you will be GDPR compliant
- Similarly, we are also able to delete all data relating to any Data Subject, or refrain from collecting data from any specific Data Subject, without compromising the workings of the platform as a whole.
- Swrve can collect and share opt-out data with other platforms and channels as required by the Data Controller - talk to us with any specific requirements and we can work with you to ensure GDPR is implemented consistently across all channels.
- Swrve does not collect Personally Identifiable Information by default. However, this information can be shared with Swrve if the Data Controller wishes to do so. In addition, it is worth being aware that even pseudonymized data can be defined as ‘personal data’ under GDPR
The Bottom Line
Swrve will be ‘GDPR ready’ on or before May 25th, and is ready to work with all our customers and prospects to respond in a timely and accurate fashion to all GDPR related requests from their own customers and users.