Convertr, the GDPR and the UK's DPA
If you have questions, get in touch via compliance@convertr.io or contact us.
Disclaimer: The following information is not legal advice. This page is only intended to summarize the main points of how Convertr can be used in a compliant manner under the EU's GDPR and the UK's DPA regulations. We recommend that you work with a trusted legal partner to fully understand your legal obligations.
What are the GDPR and the DPA?
GDPR is the European Union General Data Protection Regulation (2016/679) that became enforceable on 25 May 2018. It is the regulation by which the European Parliament, the European Council and the European Commission intend to strengthen, unify and harmonize data protection for individuals within the EU.
The Data Protection Act 2018 (DPA) is the United Kingdom's law which replaced the 1998 DPA and includes the UK's implementation of the GDPR.
Both regulations set strict rules called 'data protection principles' to anyone using personal data to make sure the information is:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
There's also a new overarching principle of Accountability which means that businesses must demonstrate that they follow the principles.
How is Convertr impacted by GDPR and similar regulations?
Convertr is considered a 'Data Processor' under the GDPR and is required to implement policies and procedures to ensure compliance with the regulation. Prior to the GDPR taking effect, Convertr contracted a firm with expertise in data protection to serve as our DPO, audit our processes and recommend updates to our platform and processes to ensure our compliance.
As a result, Convertr made any necessary updates to our legal terms (Data Privacy Agreement with customers, Privacy Policy, Cookie Policy and Terms of Service) and refined our data collection processes to meet our legal requirements under GDPR. We also regularly audit our processes and maintain ISO 27001 certification to stay up to date on best practices regarding information security and data privacy.
For our customers, the Convertr platform was enhanced to better support their compliance needs regarding:
- Acquiring, processing and routing data
- Supporting individual requests for personal data, opt-outs, and the right to be forgotten
- Providing an array of user permissions and roles to restrict access to PII and financial data in the platform
- Logging all actions on the platform for auditing purposes
We recommend that you work with your legal counsel to ensure the Convertr platform is used in accordance with your specific compliance needs and business processes.
Is Convertr GDPR or DPA compliant?
Convertr does not guarantee compliance for any regulation, but when used properly our platform enables brands, agencies and publishers to be compliant with GDPR and DPA principles when using the platform for data capture, processing and routing.
Where can I find more information on GDPR?
We have created an Intro to GDPR guide, but this should not be considered legal advice or an extensive guide to GDPR. To provide your organization with the best protection and guidance, we recommend engaging legal counsel and/or data security expertise on how best to follow the regulations set by the GDPR and DPA 2018.
As a Convertr customer, what should I expect in respect to my GDPR efforts?
Data Processing Agreement (DPA)
GDPR requires a detailed DPA between Convertr and our customers that documents the rights and obligations of each party.
Data Security Standards
GDPR requires "appropriate technical and organizational measures" to protect data. Convertr maintains ISO 27001 certification and trains our staff on best practices regarding data security.
Compliance processes for acquiring, processing and storing customer data
The Convertr platform provides our multiple tools to capture and track consent during customer acquisition, including web forms, double opt-in via email and user confirmation. Consent is then securely stored with the user profile and can be delivered to additional platforms.
This process provides a full profile of the consumer's data with a clear record of consent and routes consumers to the proper channels based on that consent.
Features supporting individual requests for personal data, opt-outs, and the right to be forgotten.
If you have any questions with regards to Convertr, data privacy and global compliance, please contact us at compliance@convertr.io.