May 21st 2018
GDPR – Building a Compliant Network (Part 2 of 3) Copy
In part one of our GDPR series we reviewed the ins and outs of GDPR, its effect on the definition of “personal data,” and the additional obligations this places on various participants in the ecosystem. In part two, we’ll discuss the changes Vungle made to bring our systems into compliance. In the third installment, we will discuss the new tools and processes for our customers to manage consent and ensure the continuity of their data relationships. And just a reminder – this is not legal advice, and you should work with your legal team to determine what is appropriate for your specific situation.
As a data-centric company, the changes required by GDPR touch many aspects of Vungle’s business. At the same time, the analysis on how Vungle uses, stores, and manages data has uncovered improvements that will reduce Vungle’s infrastructure costs over time, so there is a bit of a silver lining here after all.
As we mentioned in our previous post, Vungle embarked on a compliance project in mid-2017, with a cross-functional working group and support from external advisors to become GDPR-ready by the upcoming enforcement deadline of May 25, 2018. While the entirety of the undertaking is more than we can cover in a blog post (or six), some of the changes we’ve made include:
- SDK Updates: Added the ability for publishers to obtain and record consent for data collection. Download the GDPR-compliant SDKs here
- Data Minimization: Established mechanisms to collect only data that is needed, and pseudonymization of that data (i.e. replacing or modifying identifiable details so as to prevent tracing such data back to an individual in the event of a security breach) wherever possible
- Data Retention: Implemented a data retention schedule across all our systems so that we routinely delete or fully anonymize data we no longer need
- Data Mapping: Undertook a data mapping exercise to clarify what data Vungle holds, what happens to it and create the necessary data processing records
- Individual Rights: Formalized processes around data subject rights to ensure that Vungle is able to respond comprehensively and within the timeframes laid out in GDPR
- Transparency: Updated Vungle’s privacy notice and internal policies for GDPR compliance
- Vendor Agreements: Updated existing arrangements with third-party subprocessors to ensure GDPR compliance as well as vetting new subprocessors; and
- Security: Ensured continued use of adequate security measures to safeguard any data collected and processed on systems owned or managed by Vungle
In our next installment, we’ll explore what advertisers and publishers need to consider in their compliance efforts.
Part 3: Getting ready for GDPR – Practical Considerations (coming soon)
Guidelines on Consent from the European Commission Article 29 Working Party
If you have GDPR-specific questions, please contact GDPR@vungle.com.