What is gdpr?
On May 25th, 2018, the General Data Protection Regulation will take effect. The GDPR aims to give control of personal data back to the citizens while harmonizing the data protection regulations throughout the EU.
At iPaper, we have been following the GDPR closely and have been making a number of changes to our product and processes. This is to ensure that we are fully compliant with the GDPR as well as ensuring that our customers can remain compliant with the GDPR while using iPaper as well.
- Data subject
This is the individual person for whom you may gather and store data.
- Data controller
This is the iPaper user who is ultimately responsible for controlling the data of the data subjects.
- Data processor
This is iPaper who processes the data of data subjects as asked by the data controller.
Data processor agreement
The GDPR forces all data controllers to document their processing of data and to ensure that any processors they use also live up to the GDPR. We have made a Data Processor Agreement (DPA) that documents what data we process as well as how we process it. To access our DPA, please sign in to your iPaper account and go to "Legal & Compliance" where you will find a link to the DPA. If you are not already a customer and would like a copy of the DPA, feel free to write to email@example.com.
Upcoming product changes
To ensure that the iPaper product is compliant with the GDPR and to give you the tools to ensure your own compliance with GDPR, we are implementing a number of product changes.
One of the main tenets of the GDPR is to increase transparency and ensure that the data subject consents to any use of personal information. While it is possible to add consent checkboxes to most iPaper forms, we are building it into the product directly, ensuring any stored consents are valid. Going forward, it will be possible to include a required consent option when designing Forms & Pop-ups in iPaper. When the data subject gives consent, we store that fact along with the actual text the data subject gave consent to enabling you to document the consent given at a later time.
Status: Implemented - Already available
Cookie consent banner
Status: In progress - Available mid-May
Anonymization of IP-addresses
We use the IP address of data subjects to determine their geographical location on a regional basis as well as to protect against fraud and misuse. We will no longer store exact IP-addresses. Once we have used the raw IP temporarily, it will be discarded and only a generic non-unique part of the IP address will be stored for logging purposes.
Status: Implemented - Already available
Automatic deletion of data
iPaper has never been used or intended as a permanent storage location for personal data. Newsletter signups are forwarded to customers' marketing systems shortly after signing up. Shop orders are sent directly to customers' ERP systems or forwarded as emails to sales staff. Competition signups are exported to Excel on a weekly basis. As such, there is no reason for this data to stay in iPaper for longer than necessary.
To ensure no data is forgotten in iPaper, we will start automatically deleting any data that may contain personally identifiable information after a three-month period. This leaves ample time to export the data into the customer's own systems while still keeping a backup in iPaper for three months.
Aggregated data will not be deleted. All statistics, visitor analytics, heatmaps, conversion rates, etc. will thus be stored forever. None of this data can be pinpointed to any individual person and is thus not in the scope of GDPR. So what will be deleted?
- Pop-up conversions - E.g. the values submitted by the data subject. Conversion numbers & rates will still be stored.
- Form submissions
- Shop email checkouts - Statistics, flipbook & product-level revenue is still stored, just not the orders' customer data.
- Cards created using the Card Generator
This auto-deletion policy will take into effect on May 25th and the first deletion of data will thus occur on August 25th, 2018. At this point, any of the above data that is more than three months old will be deleted on a daily basis.
Status: Implemented - First deletion occurs on August 25th, 2018
Data subject rights
Besides increasing the control on how data is stored and processed, the GDPR also ensures that data subjects own their own data. This gives the data subjects control over their own data, granting them the right to access their own data, to correct their own data, and to request their data to be deleted (e.g. forgotten).
- Right of access
You can export all data from your iPaper account and thus provide relevant data to the data subject.
- Right to be forgotten
The automatic deletion of data will ensure that no historical data is stored, leaving only the most recently submitted data in iPaper. If you need help in removing a specific data subjects data, reach out to firstname.lastname@example.org and we will help you out.
- Right to rectification
Most data submitted by data subjects cannot be edited directly. If you need help in correcting any of this data, please reach out to email@example.com and we will help you out.