The GDPR became fully enforceable on May 25, 2018, and has set a high bar for global privacy rights and compliance. We at Journey Analytics modified our system to help you meet the requirements of the GDPR. This guide is intended to set out the GDPR guidelines for our customers as well as inform our customers of the changes that are done in Journey Analytics to support their GDPR compliance, which includes:

• Support for opting out users
• API for deleting user historical data and properties
• Anonymizing personal information data as part of the ETL

Please note that this guide is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal and other professional counsel to determine precisely how the GDPR might apply to your organization.

What is GDPR?

The EU General Data Protection Regulation (GDPR) has replaces the Data Protection Directive, was designed to harmonize data privacy laws across Europe and to protect and empower all GDPR-protected individuals' data privacy and to reshape the way organizations across the region approach data privacy. The GDPR will not only apply to companies that process the personal data of protected individuals and have a presence in the EU (e.g. offices or establishments) but also to companies that do not have any presence in the EU but offer goods or services to individuals in the EU and/or monitor the behavior of European individuals where their behavior takes place within the EU.

The GDPR regulates the "processing" of personal data of any protected individual (who is referred to as a "data subject"). This "Processing" includes the collection, storage, transfer, or use, of personal data. Any company that processes the personal data of any data subject, regardless of where the company is based, may be subject to the GDPR and its rules. We encourage our customers to seek legal advice to determine whether the GDPR applies to their specific processing operations or not.

What is "personal data"?

According to the GDPR, personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or when joined with other data, to identify an individual. Personal data will now include not only data that is commonly considered to be personal in nature (such as email addresses, social security numbers, and physical addresses), but also data such as IP addresses, behavioral data, location data and much more. It's also important to note that even personal data that has been "pseudonymized" can be considered personal data if the pseudonym can be linked to any particular individual or the pseudonymization is reversible. For these reasons, for the additional information (such as the decryption key) to be kept separately from the pseudonymised data.

More information on what is considered personal data can be found on the GDPR-dedicated website: https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en

Under the new GDPR, protected individuals will have several important rights, including the right to be forgotten, the right of access, and the right of portability. If you are processing the personal data of protected individuals, you must ensure that you can accommodate these rights:

• Right to be forgotten: the data subject is entitled to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data (opt-out).
• Right of access: the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.
• Right of portability: the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another controller.

So how does it affect Journey Analytics and their customers?

Between Journey Analytics and our customers, Journey Analytics is the "data processor" and the customer is the "data controller". A data controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of, and for the benefit of, the controller. According to GDPR, it is the responsibility and the liability of the data controller to implement effective measures and be able to demonstrate GDPR compliance.

The technical How To's:

The GDPR requires you, as a data controller to inform your users ("data subjects") with a clear explanation of how, where and by whom their data will be processed in accordance with the requirements of Articles 13 and 14 of the GDPR. Controllers are also required to receive their consent for the collection and processing of any data they will share through your services unless the controller can rely on another legal basis (the list of permitted legal bases is described in Articles 6 and 9 of the GDPR). This question, or request for consent, is your responsibility as a data controller to invoke, and we imagine will look different across your different websites or your mobile apps. We encourage our customers to carefully assess which legal basis they rely on for each processing operation and display the relevant information required by the GDPR.

If you receive an objection from your user, Journey Analytics enables you to opt-out a user in order to stop tracking their activities. Opting out a user will be done either by the SDK or a rest API request to Journey Analytics, by sending an event saying that the user has opted out of data collection. Our system will flag that user and will block all future events or sessions of that user.

Since the GDPR also entitles the data subject the "right of erasure", we introduced a Delete API that will allow you to delete any user properties or historical events and sessions of this user. Keep in mind that if you do not opt-out the user and send any events for that user in the future, the data will be stored. In addition, since Journey Analytics does not control your Aggregation Tables, external data sources or data uploaded through our integrations, it is your responsibility to delete that user from these external tables.

The API will let you know the status of your request for deletion (whether it's in progress or done) and the amount of events and sessions that are to be deleted for this user once the erasure is completed.

Both opt-out and the delete API will be carried out using customer_user_id. Since Journey Analytics allows you to link between multiple identities of the same user, deleting and opting out will also work for all the alternative identities of a single user, and not just the records received with the user id that asked for erasure or opting out.

Also, since every query in Journey Analytics is calculated based on raw event-level data, once these tasks are completed, the data retrieved from queries on top of Journey Analytics will change and will not include these events and sessions, even when querying aggregated values.

The users' "right for access" as well the "right of portability" can be carried out using our Query API. You are in charge of writing the relevant query that retrieves the relevant data you want the user to access. If you need any help writing these queries, please contact your CSM.

Journey Analytics also enables you to anonymize personal data in your project. Since you control what data you send to Journey Analytics and what is stored, you are responsible for defining what is personal information and what is not.If some properties in your project contain personal user information, you might want to hash that information based on a certain condition (for instance if a user asked to be anonymized or if that user is based in the EU).

Notice that we automatically collect IPs so if you need the IPs we have collected to be hashed before they are stored you are responsible to use the above mentioned functionality to set this up. Hashing IP's will not affect the geolocation enrichment we provide out-of-the box.

In terms of communication with Journey Analytics, please make sure all the data sent over or retrieved is done over HTTPs. Journey Analytics supports sending events through both HTTP and HTTPs so make sure you use the latter to ensure the communication is encrypted.

As for data storage and security, Journey Analytics uses third party tools for processing and storing your data based on Amazon and Google Cloud Services. Both providers have announced that they will be GDPR compliant. There is no explicit GDPR requirement that personal data must stay in the EU as long as there is a legal framework in place to validate the data transfer; the GDPR recognizes several frameworks including the Privacy Shield.

As for data transfers, please note the following:

• Amazon Web Services and Google: Both AWS and Google have already announced that will comply with the GDPR and they are also registered with the EU-US Privacy Shield (see: https://www.privacyshield.gov/list).
• Our staff: Our staff sits in Israel, which was declared by the European Commission as a country that offers adequate level of data protection (see: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en)
• Other sub-processors, vendors and partners: We only share personal data that is subject to the GDPR with vendors and partners who, like Amazon Web Services or Google, have announced that will comply with the GDPR and have undertaken to do so.

Finally, let's talk legals:

Make sure your Terms of Service or Privacy Policy or other relevant documents properly communicate to your users how you are using Journey Analytics (and any other similar services) on your website or app.

We have drafted a Data Processing Agreement in accordance with Article 28 of the GDPR in order to enter an agreement with our customers who are subject to the GDPR. We request that you please download it, sign it and return it to your account manager.

More information

Additional information regarding the GDPR can be found at the European Commission's website, found here: https://ec.europa.eu/info/law/law-topic/data-protection_en

Furthermore, if you have any questions about the GDPR vis-à-vis your relationship with Journey Analytics, contact Medallia Support.

Note: This guide might be subject to minor changes in accordance to Journey Analytics's ongoing product modifications.

Last update: 2018-05-29