As a data collector who wants to use data to make high-impact marketing decisions, not only must you ensure that your data collection practices stay in compliance with regulations, but you must also guarantee that the companies you partner with for data processing adhere to current regulations. It’s crucial that you partner with trusted companies because the penalties for not being compliant fall on you as the data collector.
In the ever-changing landscape of data compliance, it’s helpful to have a trusted partner who understands the regulations and works with the best interest of your company’s compliance standards. This gives you the peace-of-mind that you meet the required regulations, such as GDPR and CCPA.
Though these regulations continue to be reformed over time, let’s take a look at where they stand at the moment.
The regulations.
The EU General Data and Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have been designed to give individuals control over their own data. While similar in some respects, GDPR and CCPA are different from one other. Here’s an overview of each:
CCPA
- Applies to for-profit entities doing business in California that meet certain conditions.
- Defines personal information as being capable of being associated with or could be reasonably linked directly or indirectly with a particular entity, including IP addresses, email addresses, driver’s license numbers, Social Security numbers, and passport information.
- Consumers can have their data deleted, except in cases such as if the data is necessary to express freedom of speech, fulfill a contract, or conduct scientific, historical, or statistical research.
- A business must include an opt-out link on their homepage that says “Do Not Sell My Personal Information.”
- A business must post a privacy notice on their website.
- A business has 30 days to fix a violation.
- Intentional violators can incur penalties of up to $7,500 per violation.
GDPR
- Applies to businesses, public bodies, and non-profits processing data from the EU.
- Defines personal data as information, both direct and indirect, pertaining to someone who can be identified, including name, ID number, location data, biometric data, and passport information.
- Determines principle of ownership rights, including the right to be forgotten and the right to know if data is being collected.
- Requires individual consent (affirmative opt-in) to collect personal data.
- Violators can incur fines of up to four percent of the company’s global annual revenues or €20 million, depending on which one is higher.
The data processor’s role.
When you partner with a data processor, such as MSIGHTS, they process data on your behalf. In other words, our role is to maintain and ensure compliance once the data has been collected and processed. If personal data needs to be removed, we fully understand all the places the data lives and properly remove it, while also providing proof of removal, should that be requested.
At MSIGHTS, we align with our clients on standards and flexibly build compliance into specific platform applications to further meet their individual needs as a data controller. We take this partnership seriously, signing a Data Processing Agreement with the data controller.
As Ivan Aguilar, our CTO and co-founder, said, “We only process data from valid media publishers who are compliant in their processes for lead collection. If they don’t follow compliance, then we cannot pass along lead information to our clients.”
To ensure the proper compliance and handling of data, we wholly practice these three fundamentals:
- Awareness: “MSIGHTS understands the importance and sensitivity of data,” Ivan explained. “That’s why we make the control of data a top priority across the entire company. We continuously train all personnel on data privacy, security, and procedures. Every asset in the company is continuously under security assessment and procedures review; from our physical offices, networks, computers, laptops and servers.”
- Monitoring: We monitor and classify data. We know where the data is sent and who participates throughout the data movement. “We support the Data Controllers, feeding them with valuable lead information, so we don’t take our role in data security and privacy lightly,” Ivan said. “We do not alter the original data, and we rate the data for compliance. As a company we have open channels in the case that the Data Controller receives a removal or change request. We respond within 24 hours.”
- Detection/Response: “Every step in the process of data movement is logged and recorded. If we notice data concerns, we make sure we have all records. In this way we can anticipate, detect and respond in case of suspicious activity.”
As a data processor, we must verify that all our processes are compliant within established guidelines, which is why we maintain HIPAA One, TRUSTe, and EU-U.S. and Swiss-U.S. Privacy Shield certifications.
The great data that can result.
Great data leads to great marketing results. But that data must be collected within the current compliance guidelines. Because data regulations continue to change, it’s important to partner with a data processor who builds compliance, controls, and continuous awareness and education into their operations.
If you’d like to learn more about how we can help you turn data into marketing results, while adhering to data compliance regulations, contact us today.