Security and GDPR Compliance

For most businesses, May 25 is quickly approaching as a day of unknowns. It’s the day the European Union’s new regulation, the General Data Protection Regulation (GDPR), kicks in. It’s a new set of laws that are aimed at enhancing the protection of EU citizens’ personal data. It increases the obligations organizations have to deal with data in a secure and transparent way. The GDPR applies to all businesses that control or process EU citizens’ data, which means it likely affects you, our Sideqik customers.

What is GDPR?

The GDPR is a new EU law on data protection and privacy that addresses the export of personal data outside the EU. The regulation aims to give control back to citizens over their personal data. Any company, no matter where it is located, needs to comply with the new regulations if they are handling EU data. According to Wired’s deep dive, “Europe’s new privacy law will change the web, and more.”

[Under the GDPR] companies must be clear and concise about their collection and use of personal data like full name, home address, location data, IP address, or the identifier that tracks web and app use on smartphones. Companies have to spell out why the data is being collected and whether it will be used to create profiles of people’s actions and habits. Moreover, consumers will gain the right to access data companies store about them, the right to correct inaccurate information, and the right to limit the use of decisions made by algorithms, among others.

The law protects individuals in the 28 member countries of the European Union, even if the data is processed elsewhere. That means GDPR will apply to publishers like WIRED; banks; universities; much of the Fortune 500; the alphabet soup of ad-tech companies that track you across the web, devices, and apps; and Silicon Valley tech giants.

Most of the digital rights under the GDPR were already established in the EU. However, most of them went unenforced.

Sideqik and Compliance

At Sideqik, we’re committed to not only making sure we are compliant with the new regulations, but that our customers are as well. Sideqik, by nature, is a consent-based platform. Users specifically give consent to enter promotions or apply to an influencer program. The personal data they provide is only ever shared with the owner of the account. This means Sideqik acts as a data processor on behalf of our customers.

Breakdown of GDPR Requirements

Lawful basis of processing

What it means: You need to have a legal reason to track a user’s data, such as consent (opting-in), a contract, transaction, etc. For people entering Sideqik promotions or applying to be an influencer,, that would constitute consent. For influencers, you can track lawful basis via the influencer’s profile.

Consent

We know we just said consent provides a lawful basis of processing, but there’s more to it. Under the GDPR, a user needs to be told specifically what they’re opting into. They need to affirmatively opt-in, through a checkbox that they check (pre-checked boxes or a form alone will not work.) That consent needs to let the user know what ways you intend to process and use the user’s personal data. You’ll need to log auditable evidence of what the user consented to and when they consented. These options are available in Sideqik by adding checkboxes or text fields to your promotion or forms.

Withdrawal of consent (or opting out) And Deletion

The GDPR requires that companies give users the ability to see what they agreed to share and the ability to withdraw consent. Per the GDPR, withdrawing consent needs to be as easy as giving it. Similarly, users have the right to request that any personal data be deleted. Most companies have 30 days to respond to such requests. For any data that a user wishes to withdraw consent from, simply email support@sideqik.com and we will permanently delete their personal data from Sideqik. In the future, we will have a form for these requests. We are working on a way to easily notify our customers about requests for deletion, so our customers can also be compliant with regulations. Please reach out to privacy@sideqik.com with any questions about this policy.

Cookies

A user needs to be given notice that you are using cookies to track them and needs to consent to those cookies. This most likely applies if you are using analytical tracking pixels like Google AdWords, Facebook Pixel, or Sideqik’s Conversion Tracking. More regulations surrounding this topic are pending. Facebook has thorough guidelines here. For now, any questions can be directed to support@sideqik.com.

Access/Portability

Under the GDPR, users can request access to personal data organizations have about them. Personal data is anything identifiable, like name or email. If a user requests access, you (as the controller) need to provide a copy of the data. Sideqik enables you to grant these access/portability requests by exporting data collected from forms or promotions into CSV or Excel files. Additional data, such as engagement data can be obtained via Sideqik’s APIs. If you have any trouble fulfilling an access request, please contact support@sideqik.com and we will help.

Modification

In addition to requesting to delete or access their data, users can ask to modify personal data if it is inaccurate or incomplete. In Sideqik, you can update an influencer’s data on their profile page. To update the information of promotion participants, simply send a modification request to support@sideqik.com.

Security Measures

The GDPR requires that data controllers and processors have the “appropriate technical and organizational measures to ensure a level of security appropriate to the risk”. Sideqik has always taken privacy and security very seriously, and we’re working to strengthen our security controls across the business. We have recently added additional security controls around data access, security, and auditing to ensure our customer data is protected. We have appointed a Data Security Officer to serve as a point person for all inquiries related to data security. Please direct any inquiries related to Sideqik and GDPR to privacy@sideqik.com.

Data Processing Addendum

To help our customers meet GDPR verification Sideqik has announced a Data Processing Addendum (DPA). The DPA is an easy-to-execute document that, once signed, can show auditors that customers use Sideqik in a way that lets them demonstrate their data is being processed in a way that is compliant with the GDPR. To obtain a DPA, please email support@sideqik.com.

Wrapping Up

We’re committed to keeping our customers happy and our user data safe and compliant. This document will be updated with ongoing changes around data privacy. If you have any concerns, please email nancy@sideqik.com or zubair@sideqik.com.

Responsible Disclosure

If you’ve discovered a vulnerability in the Sideqik application, please don’t share it publicly. Instead, please submit a report to us email at support@sideqik.com in the below format. We review all security concerns brought to our attention, and we take a proactive approach to emerging security issues.

Subject: VDP –
Body:
Your_name (or pseudonym):
Vulnerability_Name:
Domain_affected:
Impact to confidentiality? Y/N
Impact to integrity? Y/N
Impact to availability? Y/NSteps to replicate:Step one
Step two
Step 3
Proof of concept screenshot – scrubbed of any PII or sensitive information, if applicable.

If you believe your account has been compromised or you are seeing suspicious activity on your account please email support@sideqik.com.