InPlayer has implemented a company-wide GDPR compliance strategy and fully achieved compliance with GDPR prior to May 25, 2018.
What is the GDPR?
The General Data Protection Regulation, or “GDPR”, is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016. The GDPR is a comprehensive privacy regulation that sets forth the rules for processing the personal data of individuals in the EU (“data subjects”) and the rights of data subjects with respect to their personal data. The GDPR became effective on May 25, 2018.
What is considered personal data?
Any information relating to an identified or identifiable natural person in the EU is considered personal data under GDPR. An identifiable person is one who can be identified directly or indirectly, particularly by reference to an identifier such as name, email address, identification number, or location, as well as online identifiers such as IP address.
The GDPR regulates the processing of personal data about individuals in the European Union and the European Economic Area including its collection, storage, transfer or use. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
It gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached.
The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.
In summary, here are some of the key changes that came into effect with the upcoming GDPR:
- Expanded rights for individuals: The GDPR provides expanded rights for individuals in the European Union by granting them, among other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard.
- Compliance obligations: The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.
- Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
- New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.
- Increased enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred. Also, the GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.
What has been InPlayer’s overall GDPR compliance plan?
InPlayer began researching and pursuing compliance in 2017. Although it’s a complex piece of legislation the general idea is pretty simple; to make sure all data about private citizens is handled with the care it deserves. We’ve been working with privacy experts and our attorneys to be sure we’re compliant with the GDPR. The privacy and security of our clients and their users are of utmost importance to us.
If you are wondering what data we store about you and how it is being handled and used, you can easily find that out from our data privacy reports.
Choose the one most relevant to your relationship with us:
- Website visitor / Lead (have signed up for marketing communication)
- Client / Merchant
- End-user (you have signed up through an InPlayer paywall with one of our clients)
If you want more visibility on how we share data with third parties – we’ve listed all data processors here.
There are dozens upon dozens of changes and steps we’re taking across every part of our company to ensure we are GDPR compliant. This includes anonymising more data, reducing the types of data shared across vendors to only the parts that are absolutely necessary and providing more controls over what data is/isn’t processed.
Here’s a high-level overview of what we’ve completed so far on our GDPR Compliance Roadmap:
- Clarify and make available a list of how all data is stored and handled, including how we got consent to store the information
Accountability and management
- Appoint a Data Protection Officer and enhance awareness around the company
- Contracts with all third party data processors and storage partners ensuring they are compliant
- List all third party data processors and storage partners
- Implement the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR
- Thoroughly research the areas of our product and business impacted by GDPR
- Develop a strategy and guidelines for how to address the areas of our product impacted by GDPR
- Enable an easy way for our clients and their end users to request access to, edit and delete their personal information
- Automatic deletion of data that our business no longer has any use for
Consent and communication
- Improved Cookie information
- Offer a way to withdraw consent as easily as it was given
- Communicate our compliance to all clients and their end users
- Regularly review policies for changes and effectiveness
Changes in our SaaS platform and new features
- Easy access for clients’ users to export and/or erase data about them by going to their account page
- Easy way for clients to export and/or erase data about their users from the Audience database in the platform
- Ensure all parties involved are informed about any changes or requests made to export or erase data
- Thoroughly test all of changes to verify & validate compliance with GDPR
We are still researching the need for our clients to add age verification to their registration process through our paywall. As soon as our experts reach a conclusion on this we will develop a feature accordingly.
Exceptions due to being a money processor
InPlayer has anti-money laundering and financial regulatory obligations to retain records for certain periods, and we generally cannot delete transactional records prior to the expiration of those periods as we have statutory record-keeping obligations. Absent those specific requirements, we retain personal data for only as long as permissible under applicable data protection laws. InPlayer does retain personal data in compliance with applicable data protection laws, and additional sector-specific rules, as they may apply to InPlayer.
If you are a company outside the EU, this still affects you
The provisions of the GDPR apply to any organisation that processes personal data of individuals in the European Union, including tracking their online activities, regardless of whether the organisation has a physical presence in the EU.
If you have any questions, you may send them to firstname.lastname@example.org