General Data Protection Regulation

General Data Protection Regulation (GDPR)

Introduction

The GDPR enforcement puts the control of personal data, collected by businesses, in the hands of the individuals it belongs to, protecting the rights of EU residents. The regulation delineates individuals’ rights to access, rectify, and restrict the processing of personal data, among other key provisions, and aims to unify privacy and security laws for all organizations operating within the EU.

In the context of this user document, we will be focused on how to implement the different rights once invoked by the Data Subjects.

Nomenclature

  • Data Subject: End Users
  • Data Controller: Plumb5 Customers
  • Data Processor: Plumb5

Contractual Obligations

Data Processing Agreement (DPA)
All customers of Plumb5 have to sign the DPA. To account for this, on login each user will have to go through our Terms of Service, Privacy Policy, and accept the same.

Data Subject Rights

Right to Erase

1. What is it?
This right allows end users to delete all information about them from Plumb5 servers.
2. Plumb5 Implementation
Data Controllers can use this Rest API of their respective accounts to delete all data of the mentioned profiles from the Plumb5 servers by calling one of the 2 unique profile identifiers:
  • Email Address
  • Phone Number
Curl

-X POST --header 'Content-Type: application/json'--header 'Accept: application/json' -d '{ \
"ApiKey": "{your Plumb5 API key}", \
"AccountId": {your Plumb5 Account ID or AdsID}, \
"EmailId": "String", \
"PhoneNumber": "string" \
}' 'https:/{your plumb5 Domain}/API/Contact/DeleteContact'

3. Access Control
Only Admin users have the right to erase user information.
4. Implications

  • Customer will have to stop sending Future data of the profile thus suppressed
    • Once the user hits delete for a profile, all data coming from any device associated to the user will also have to be stopped.
  • Unreachable on Marketing Channels
    • Since the data of the user is deleted, there is no way to reach out to the user on marketing communication channels. Data controllers will have to opt the users out of ALL marketing channels.
  • Platform Implications
    • You will not be able to view the profile page of the said user post delete.
    • You cannot roll back erase, once called. There is no way to get the information back, once the delete function is invoked.
    • The delete happens immediately and cannot be rolled back.
    • Funnels, cohorts, pivots and other analytics will be impacted as the numbers may show some data inconsistency for a small period due to data deletion.
    • Users cannot download the profile information of the said user from anywhere on the dashboard.

5. Default state
Profile will be erased only on explicitly calling it via API by the Super Admin.

Right to Modify/Rectify

1. What is it?
This right allows users to modify/rectify any profile data stored about them
2. Plumb5 Implementation
  • API: Plumb5 has provided this API which allows Data Controllers to upload profile information of their users. Hence, if a Data Subject requests for a profile change, the Data controller can upload the profile data of the user via the API
  • .CSV Profile upload: Under the settings section of your dashboard, we allow users to upload user profiles via a csv file. You will find it under
    Contacts-->Contacts Imports-->Start an Import
3. Access Control
Only Admin users have the right to erase user information.
4. Implications
The old profile information will be overridden with the new profile for the given user identifier. If the user identifier is not found, a new profile will be created
5. Default State
Profile will be erased only on explicitly calling it via API or via Import Contacts by the Super Admin

Right to Access

1. What is it?
This right allows users to access data which has been captured about them by the Data Processors
2. Plumb5 Implementation
  • Platform Download: This allows Data Controllers to download data about their specific users as a csv file
  • API Download: This API allows users download data about specific users via identities

Right to Data Suppress (Opt Out)

1. What is it?
This right allows users to opt out of sharing any data with Data Processors.
2. Plumb5 Implementation
  • Plumb5 Web Script & Mobile SDK allows you to hook an opt out flag to the CTA on your app or Website.
  • If the opt out flag is set to disable, we will continue collecting data of the said user from the said device.
  • If the opt out flag is set to enable, our SDK or Script will stop sending any data from the said device onto our servers. Data is blocked at the SDK or Script level itself.
4. Implication
  • All analytics data like funnels, flows, cohorts, etc. will not contain these users’ data.
  • Campaigns will not be sent to these users (even though they qualify) as the data is stale.
  • To validate the state of the optout, we will provide the flag as a profile variable on the profile page of each user.

Opt In

  • If the user who has opted out, chooses to opt back in, all data will be appended to the same profile if identified as an existing user.
  • The user will be treated as the same user (we will not create a new profile for the user).

FAQs

What is GDPR?
  • General Data Protection Regulation (GDPR) came into regulation primarily to give more rights and power to the citizens of EU to control their personal data and information they share with businesses they deal with.
  • To elaborate a little more - in the current situation users of your app are the data subject, your app/business is the data controller while Plumb5 acts as a data processor.
  • As a data processor - our SDK or Script captures only two data points about the user
    • Machine ID of the device - We use this to create a hashed Plumb5 ID in order to identify devices.
    • Location - using a reverse IP lookup powered by db-ip.com, Plumb5 is able to capture the city level location of the user.
Is GDPR applicable to me?
Under the GDPR, it is the location of the individual whose personal data is being processed that determines whether the concerned firm should comply. This means that the GDPR will apply to all organisations, whether within the EU or outside of it, that offer their product or service to individuals in the EU when their data is being collected. In addition, it is also recommended under the GDPR that your marketing communications be on a default opt out.

That said, your legal/compliance teams will be in a better position to answer if your app/business falls under the purview of GDPR regulations.
GDPR doesn't apply to me. What next?
If GDPR doesn't apply to you, then life continues as usual - with regards to profile creation. You can simply allow Plumb5 to track the device and location.
GDPR applies to me. What next?
What your legal/compliance team needs to find out is if the allowing Plumb5 to track the above two data points (MachineID & Location) are included in the purview of your GDPR compliance.

Last Modified: 1st January 2021