Countly & the GDPR: How world’s leading mobile and web analytics platform can help organizations conform to the new regulation

The world’s most challenging regulation regarding data privacy and subject security will come into force as of May, 2018. Countly staff have been working to make sure that the whole platform is compliant when it comes to tracking web and mobile users. This paper outlines most important items of the GPDR, and how Countly answers them.

General Data Protection Regulation (GDPR) law provides EU citizens with a wider array of rights which will be enforced against organisations worldwide that process personal data. These rights in some cases limits the ability of organisations to lawfully process the personal data of EU citizens, and in some cases these rights may have a significant impact upon an organisation’s business model.

The GDPR directive is a regulation that covers processing of personal data. In general terms, this directive sets out a number of data protection requirements which is applied when personal data is processed.

As can be easily derived, this directive makes it easier for data subjects to find out what personal data companies hold about them, and give them more details about how their data is handled, what it is used for, and if required, also gives data subjects the ability to move it from one service to another.

People will also have a right to know when their data has been hacked, as well as the right to be forgotten, which will require companies to delete people’s personal data when asked to.

Therefore, new rules come up with a lot of changes in the way companies do business and handle subject data. According to NetApp’s research, only 7% of small business respondents claim they fully understand the rules, and 14% admitting they don’t even know what GDPR is. Only 19% of small business IT decision makers and CIOs claiming to be totally prepared for the legislation deadline. Therefore the major issue seems to be the lack of understanding what GDPR will bring in.

The GDPR has two important purposes:

• First, the EU wants to give people more control over how their personal data is used.
• Second, the EU wants to give businesses a simpler, clearer legal environment to operate, making data protection law identical.

Cloud service providers such as Amazon and Azure have already declared GDPR compliance. For example, Amazon has a page dedicated to EU data protection regulations, here. Microsoft also claims that they are committed to GDPR compliance across cloud services when enforcement begins on May 25, 2018, and provide GDPR related assurances in their contractual commitments.

Why is GDPR important to you?

The GDPR covers all companies that deal with the data of EU citizens, but especially it is a critical regulation for corporate compliance officers at banks, insurers, and other financial companies.

The GDPR is critical in many ways, including:

• Penalties for violations: Serious violations can result in fines of up to €20M or 4% of the offending company’s global annual revenue, whichever is higher.
• The “personal data” definition has been expanded: Personal data means any information relating to an identified or identifiable natural person. IP addresses, application user IDs, Global Positioning System (GPS) data, cookies, media access control (MAC) addresses, unique mobile device identifiers (UDID), and International Mobile Equipment IDs (IMEI) are some examples.
• “Technical and organisational measures” require adequate general information security controls: The GDPR is asking controllers to employ information security frameworks, which enables professionals to create consistent, repeatable processes and implement controls that are generally accepted by the information security community.

What does the GDPR bring?

There are several rights that GDPR imposes for EU citizens, and here is a list of the most crucial items:

• Right to erasure (the “right to be forgotten”) Data subjects are entitled to require a controller to delete their personal data if the continued processing of those data is not justified.
• The right to restrict processing: In some circumstances, data subjects may not be entitled to require the controller to erase their personal data, but may be entitled to limit the purposes for which the controller can process those data.
• Notifying third parties regarding rectification, erasure or restriction: Controllers must notify any third parties with whom they have shared the relevant data that the data subject has exercised those rights.
• Right of data portability: Data subjects have the right to transfer their personal data between controllers (e.g., to move account details from one online platform to another). Also, data subjects have the right to receive a copy of their personal data in a commonly used machine-readable format, and transfer their personal data from one controller to another or have the data transmitted directly between controllers.
• Right to object to processing: Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data, where the basis for that processing is either: public interest; or legitimate interests of the controller.
• Right to object to processing for the purposes of direct marketing: Data subjects have the right to object to the processing of personal data for the purpose of direct marketing, including profiling.

Note that the GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. So for example, a German citizen buying a new pair of shoes from the US, and that US company will need to comply with GDPR.

How does Countly help with GDPR compliance?

If your organization collects, hosts or analyzes personal data of EU residents, GDPR provisions require you to use third-party data processors, including mobile and web analytics providers, who guarantee their ability to implement the technical and organizational requirements of the GDPR.

We have worked with many companies to date and we have an extensive knowledge in this domain, especially when it comes to General Data Protection Regulation (GDPR), HIPAA and COPPA, collaborating with several parties and conforming to their standards and regulatory laws. This has enabled us to make Countly the platform of choice when it comes to data privacy and security.

Below you can read some of the unique features of Countly and how it helps secure sensitive information.

• Self-hosting options: Countly can be installed on-premise (i.e. either in your own data center or with a trusted hosting partner), allowing for a greater depth and breadth of security and control. Self-hosting means that no third party (not even Countly) ever has access to your data unless you permit it. When installed on-prem, the only stakeholder is the owner of the Countly instance, hence the control.
• Right to be forgotten: If an EU citizen asks for his data to be removed, it can be completely wiped out in Countly. Countly also has a “blocking rule” plugin which blocks data from reaching Countly database using several criteria like username, email, IP address, deviceID etc.
• Do not track: GDPR also stipulates that individuals have a right to ‘block’ or suppress processing of personal data. If an individual decides not to be tracked, Countly has a function to support this. If it is invoked, then we do not track that user at all.
• Data portability: Our database schema is completely open, allowing any Countly client to transfer data from Countly to another service easily. This can be done in a few ways, e.g using MongoDB command line or via API calls.
• Data-at-rest encryption: When data is stored, we can use data-at-rest encryption, further enhancing the security of personal data, making it impossible for a rogue employee to reach this data.
• Secure transmission: Data collected from devices are sent over a secure channel, and cannot be tampered — this eliminates intruders and potential man-in-the-middle attacks.
• Extensive system audit logs: There are more than 30 different system logs collected, and this helps system administrator know what is happening inside the server. In case of an emergency or an audit, logs can be viewed, allowing organization insight into what has happened and the cause of issue.
• Login security: We have several methods to keep logins secure — Countly can require strong passwords, only permit logins via HTTPS, and ban users when there is a brute force attack.
• Storage location: Customers choose the region(s) in which their customer content will be stored. We will not move or replicate customer content outside of the customer’s chosen region(s).
• Access levels: Countly dashboard users can only view what what has been enabled for them. Administrators have the ability to disable a menu item or a view (e.g User Profiles) for specific users. Customers manage access to their data and Countly resources. We provide an advanced set of access, encryption, and logging features to help you do this effectively.
• No IP address storage: Countly doesn’t store any IP address, but rather converts IP to user’s city and then discards IP. For customers for whom this is an issue, Countly has the ability to completely remove city and country information.

Moreover, to further earn your trust, we have modified our agreements available regarding GDPR assurance. Our guarantee stipulates that you can:

• Ask us to correct, amend or delete personal data.
• Ask us if there is a detect and report personal data breaches in a case.
• Ask us to demonstrate our compliance with the GDPR, e.g regarding personal data collected.

Depending on the type of instance (self-hosted or virtual cloud), chances are our customers can either follow the items above or get it done themselves.

Our customers care deeply about privacy and data security. That’s why Countly gives them data ownership and instance control over their content via powerful tools that allow customers to define where their data will be stored, secure their data in transit or at rest. Countly is one of the first analytics platforms to declare GDPR compliance, and we’ll strive to comply with GDPR rules in the future as they are changed.