On May 25, 2018, the General Data Protection Regulation (GDPR) takes effect in the European Union (EU). And CleverTap is pleased to announce that we are fully compliant with GDPR as of today.

In addition, we are also constantly working with our customers to help them easily understand and manage compliance related features and capabilities.

Compliance with the GDPR requires ongoing changes to ensure that your processing of personal data of EU individuals is within scope. The enhancements to our product functionality including updates to our dashboard, SDK, API, and documentation will help you better handle the GDPR requirements and support you in offering data privacy to your application’s end users.

But First, What is the GDPR?

If you are just starting to think of the GDPR and have questions about what it entails and what you should do to prepare, check out our blog post.

What are Your Obligations Under the GDPR?

Among the key changes in the GDPR are the data subject rights for EU individuals, added security measures, contractual obligations, and operational enforcements such as data breach notifications and updates to privacy policies to address the new regulation.

The GDPR is an extensive regulation and while CleverTap cannot offer legal advice on the regulation, our goal is to make it easy for you to understand and apply the GDPR’s principles for your users. We have outlined common questions to help accelerate your path to GDPR readiness with CleverTap.

How will CleverTap help my company respond to individual rights granted by the GDPR?

Whenever your application’s end users (i.e. data subjects within the purview of GDPR) send their personal information to you, you must ensure they are aware of what they are consenting to. And you must make them aware that they are granted the following rights: Right to Access

Your app’s end users may request to view their personal data by exercising their right to access, which allows them to understand how their personal data is being processed on your app, at which location, and for what purpose. We provide this feature to you (i.e. the App Publisher) through a detailed report on end user profiles that you can generate on the dashboard and easily share with your end users should they request it.

Your app’s end users may request to view their personal data by exercising their right to access, which allows them to understand how their personal data is being processed on your app, at which location, and for what purpose. Right to be Forgotten

Your app’s end users may exercise their right to be forgotten (or data erasure) on your app, giving them the complete authority to have their personal profile and event data permanently erased from our systems. We will enable you to do this through both a dashboard deletion and an API deletion tool. If your end user revisits your app in the future, they will be treated as an anonymous user.

Your app’s end users may exercise their right to be forgotten (or data erasure) on your app, giving them the complete authority to have their personal profile and event data permanently erased from our systems. Right to Suppress

This entitles your app’s end users to invoke the right to have all their personal data dropped from further processing by both the controller (you, the App Publisher) and the processor (CleverTap). We will allow this through our new SDK, which will grant your end users the ability to immediately have their devices stop sending data to CleverTap systems from then on. How will the Right to be Forgotten affect my CleverTap dashboard experience?

When an end user invokes their right to erase, all profile and event data is deleted from CleverTap’s servers. This means that all data from any device that the user is identified on will be removed. There will be no way to download that user profile or reach that specific end user on any of the messaging channels on the CleverTap dashboard. You will have to opt out that user from all marketing channels on your end. Additionally, the delete will take place immediately and there is no way to get the information of that user back. It may impact your analysis on the dashboard as funnels, cohorts, pivots, and other analytics may not show the same result as before. What is the Right to Marketing Opt Out and what are its implications?

CleverTap offers a number of messaging channels for you to engage with your application’s users. The GDPR provides the right to the user to opt out of any marketing communication channel based on their preference. You can enable this with our new SDK to allow specific channel opt outs for those users when you send campaigns on CleverTap. Is it mandatory for CleverTap’s customers to update their SDK in order to conform to GDPR compliance?

Yes, all CleverTap customers (i.e. data controllers) that choose to be GDPR compliant are required to update the SDK to conform to the GDPR guidelines. If for any reason, you do not upgrade to the latest version of the SDK, you might be in violation of GDPR compliance as an application publisher. Where can I find the new SDK and the steps to follow in order to make my application GDPR compliant?

A new version of the CleverTap SDK is now available, giving you the tools to meet new GDPR regulation. The new, GDPR-compliant SDKs can be found on our SDK release documentation here. Detailed documentation of the modifications in the SDK and the steps to follow in order to make your applications GDPR compliant is available within our SDK integration guide for your action. What is Privacy by Design in GDPR? What is CleverTap doing to facilitate it?

The GDPR establishes Privacy by Design in order to ensure that companies have the processes to meet the necessary customer consent before processing their data. The new SDK conforms to Privacy by Design by disabling default settings for capabilities such as auto-collection of location (city, region, and country) as well as network information (wifi, radio, bluetooth, etc.) for end users that do not opt in. Additionally, following the GDPR guidelines, the CleverTap SDK will not automatically collect Google Ad ID or Apple IDFA. You can refer to the user docs to learn more. What is the territorial scope of the GDPR? Does it apply to firms in the US or India?

Under the GDPR, it is the location of the individual whose personal data is being processed that determines whether the concerned firm should comply. This means that the GDPR will apply to all organizations, whether within the EU or outside of it, that offer their product or service to individuals in the EU when their data is being collected. Thus, the GDPR applies to all companies in the US, India, or elsewhere with data processing outside of the EU and end users in the EU. In such a scenario, the data controller should ensure that they ask for consent of the EU individual before collecting personal data that will be processed in locations outside of the EU. For most of our customers, we make sure that your data is stored and processed securely in the EU and never leaves the EU. We also offer India data centers for those customers that might have a legal or governance requirement of having their data storage within the Indian borders. As in the above scenario, our customers are required to communicate the same to their end users (who might be in the EU) when their data is collected to ensure that they have end user consent for storing and processing their data in India. What is the role of a data protection officer (DPO)? Has CleverTap appointed a DPO?

Within the GDPR, a data protection officer (DPO) will be responsible for assessing the impact of data protection regulations, its specific processes within an organization, employee communication, and training, among other things. This DPO will be in charge of all issues relating to the protection of personal data of their customers. Consistent with our commitment to security and data privacy, we have appointed a data protection officer at CleverTap to ensure our continued support to you, our customers, and your end users. What is a Data Processing Addendum (DPA)? Is it mandatory for CleverTap’s customers to sign the DPA?

We have introduced a DPA that formally designates CleverTap as a data processor and provides our customers with a complete understanding of CleverTap’s commitment to data privacy and ownership of personal data. It is mandatory for all CleverTap customers to sign the DPA in order to confirm their continued usage of CleverTap. Are there any other contractual obligations apart from the DPA?

We have also made accompanying updates to our Privacy Policy and Terms of Service to reflect new legal requirements of the GDPR. In order to continue to use CleverTap, you will have to agree to the updated terms in the privacy policy, terms of service, and the DPA.

Questions?

Data privacy and security is an ongoing process. We will continue to work closely with our customers to prepare for new regulations as they are introduced, ensuring that we remain the custodians of our customers’ data. Refer to our user docs and developer docs, or contact support@clevertap.com for more information.