GDPR Compliance

Effective Experiments GDPR Compliance Statement

Effective Experiments is committed to assisting its customers in their journey to compliance starting late May 2018 for the GDPR (General Data Protection Regulation) and the upcoming ePrivacy Regulations. We’re dedicated to adhering fully with GDPR prior to its enforcement date.

What is GDPR (and why should I care)?

General Data Protection Regulation (GDPR) was passed by the EU Parliament in April of 2016. Replacing the Data Protection Directive from the 90s, it’s the biggest overarching legislative change in data privacy regulation to take place the last 20 years.

GDPR replaces the existing data protection act and was created to standardize data privacy laws throughout Europe putting greater protection on the data privacy of EU citizens. The big changes are:

  • A Change in Legislative Scope: Now, all controllers and processors in the EU are subject to GDPR—even if the data they’re accessing is processed outside of the EU. The reverse is also true. If you’re a company processing the data of EU citizens (either to offer goods and services, or to monitor behavior taking place in the EU)—it doesn’t matter where you’re based, or where you’re processing the data. You still have to comply with GDPR.
  • Greater Penalties for noncompliance: The maximum fine for noncompliance with GDPR is up to 4% of annual global turnover, or 20 million euros—depending on which is greater.
  • Strengthened Conditions for Consent: No more legalese. Consent has to be given in an easy, accessible way before processing a persons data. You also have to disclose the purpose for that data processing, and make it as easy to withdraw consent as to give it.

To learn more about all the GDPR changes , visit the EU GDPR website here.

How is Effective Experiments Getting Ready For GDPR?

Data Processing Addendum

We offer a data processing addendum (DPA) for our customers  in the EU. Our DPA offers contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers. Our DPA will be effective on May 25th when we incorporate it into our Terms of Service. There will be no action needed on the part of our current Effective Experiments customers.

To guarantee no terms are imposed on us beyond what is reflected in our DPA and Terms of Service, we cannot agree to sign customers’ DPAs. As a small team we are unable to make individual changes to our DPA as we do not have a legal team on staff. Any changes to the standard DPA would require legal counsel and a lot of back and forth discussion that would be cost-prohibitive for our team.

Individual Data Subject’s Rights – Data Access, Portability and Deletion

We are committed to helping our customers meet the data subject rights requirements of GDPR. Effective Experiments processes or stores all personal data in fully vetted, DPA compliant vendors. We do store all account related personal data for up to 6 years unless your account is deleted. In which case, we dispose of all data in accordance with our Terms of Service and Privacy Policy, but we will not hold it longer than 60 days.

Training and Awareness

We’ve formed a core privacy team of leaders, headed by our internal Data Protection Officer (DPO). The representatives in this group are the project managers who will ensure all the requirements of GDPR are covered from Marketing to Engineering to Sales. The team meets once a month to discuss current progress towards GDPR readiness and will continue to do so following the May 25th deadline. This team is also responsible for developing the Effective Experiments GDPR awareness training program and validating that everyone at Effective Experiments understands and kept up to date on the current regulation. All personnel with access to customer data or processing customer data will undergo mandatory GDPR compliance training.

Updates to our third party vendor contracts

We are in the process of reviewing our list of 3rd party vendors and performing a deep review of their GDPR compliance. We already have DPAs in place with most of our vendors who offer a signed version, while others are taking the same approach as us and having the DPA be automatically accepted as part of the Terms of Service on May 25th.

Risk Assessment (data protection impact assessments)

Having a managed data protection impact assessment (DPIA) process is a requirement for GPDR. A DPIA process is simply a way to help us identify and minimize the data protection risks of a project. The Effective Experiments engineering team has always undergone security and privacy due dilligence when making tooling and implementation decisions, so this requirement is an easy one for us. Any time we introduce a change to the way we handle personal data, we spend time discussing the potential impact on customers of Effective Experiments and possible privacy and security risks to personal data. If any risk is identified, no matter how small, our product and engineering teams collaborate on a solution that will mitigate the data privacy and security risk to anyone who interacts with the Effective Experiments platform. We will continue to execute this risk assessment process as we expand our offerings.

Breach Management

We already have a breach management and communication plan in place to comply with the GDPR regulations concerning the escalation process and requirements for data subject notification.

We are here for you

We are working with our customers to answer any questions and address any concerns regarding how we protect their personal data and gearing up for GDPR. If you have any questions, please don’t hesitate to reach out.