Pipe's commitment to GDPR
Intro to GDPR
The GDPR (General Data Protection Regulation) is a new European privacy law adopted by the European Comission in 2016 designed to strengthen, modernise and unify the data protection laws for ALL individuals within the European Union.
GDPR will replace the prior EU privacy directive (95/46/EC) which has been the basis of Eurpoean data protection law since 1995.
The GDPR will be enforceable starting with the 25th May 2018.
There's a high chance GDPR will apply to you too as GDPR applies to:
- all organisations operating in the EU
- all organisations (irrespective of location) involved in processing personal data of individuals located in the EU.
This means GDPR could apply to any organisation anywhewre in the world and thus it sets a high bar for privacy rights and compliance GLOBALLY.
Anyone can read the GDPR legislation at https://gdpr-info.eu/. It's quite an easy read as it's written in common language, not in legalese.
We are actively preparing our business for the GDPR. Pipe will be fully compliant with the regulation by 25th May 2018 in respect to both the data that we collect FROM our clients/trials during sign up for our purposes (as data controllers) and the data we collect FOR our clients in thier use of the Pipe service (as data processors).
What is Pipe doing to achieve compliance
We've thoroughly read the EU documentation on the GDPR, ran through most material available on the GDPR, and discussed with our legal counsel to understand it's impact on Pipe and our customers. We are now at a stage where we understand the regulation, the key concepts and what needs to be done moving forward.
Here are the changes we are making to be compliant as data controllers in regards to the personal data we collect for our purposes (account name and email, access logs).
- Pipe accounts can view & edit all the personal data we store (name, email).
- Pipe accounts can now be deleted together with all the related data (video files & metadata, logs, credentials, etc.) .
- Deleted old data we were storing (ICE candidates from our discontinued WebRTC recording client, old email lists on MailChimp, etc.).
- Set up a tight retention policy for our website's Apache logs (28 days). Apache logs contain the IP, visited page, GET parameters and the user agent.
- Set up a tight retention policy for our media server logs (28 days). Media server logs contain the IP of the recording device.
- Created a Record of Processing Activities as the videos we process might contain sensitive data related to ethnicity/race.
- Appointed a Data Protection Officer as the videos we process might contain sensitive data related to ethnicity/race.
- All personal data is stored in the EU hosted by EU organisations (EmailOctopus) or US organisations (DigitalOcean) for which there's an "adequacy decision" like participating in the Privacy Shield.
- Educated all staff on the GDPR.
- Set up a tight retention policy for personal data associated with expired trial/subscription accounts, data that we collect as a controller (90 days)
What is Pipe doing to help you achieve compliance
We've made the above changes so that Pipe is compliant with the GDPR as a data controller in regards to the personal data it collects from it's account holders (email, name) and website visitors but we're also making changes towards being compliant as a data processor in relation to the data we process for you (audio & video files, snapshots, device names, IPv4, user agents, referer, etc. ).
Do you need to comply with the GDPR?
You should consult with legal counsel regarding the full scope of your compliance obligations but generally speaking if you are an organisation established in the EU or that processes personal data of EU citizens, you ahve to comply with GDPR. If you're selling to businesses, your EU cusomers will also have a hard requirement for you to comply with GDPR.
What happens if you do not comply?
Non-compliance with GDPR can result in fines:
- as high as 20 Million Euros or 4% of annual global turnover for blatant violations of the individual's rights, the basic principles for processing including consent rules and the rules for data transfers to international organisations set forth in the GDPR legislation
- as high as 10 Million Euros or 10% of annual global turnover for blatant violations of your obligations as a data controller or processor.
Controller or Processor?
In the context of the Pipe platform and the data we collect and process for our customers, our customers are acting as the controllers and we act as the processors for their data.
- Highlighted all personal metadata (collected with the recordings) in the Pipe account's recordings list to help you with awareness.
- Reviewed code for deleting videos (through the REST API, UI, account deletion and on trial/subscription expiration) to make sure the snapshot & video files are deleted together with any (personal) metadata gathered with the video.
- Set up a tight retention policy for the video files and video metadata we collect as a processor once the trial/subscription expires (28 days).
- Updated our REST API and webhooks to make sure it transmits all (personal) metadata we collect with the videos.
- All personal data is stored in the EU hosted by US organisations (Amazon Web Services, DigitalOcean) for which there's an "adequacy decision" like participating in the Privacy Shield.
- Implement a Do Not Store (Personal) Metadata along the existing Do Not Store (Files).
- Update our Terms of Service to stipulate all clauses under Art.28 (3) of the GDPR.
- Remove the HTTP referer data from all but 1 of our webhooks
We'll continue to take appropriate technical and organisational measures such that processing meets the requirements of the GDPR and ensure the protection of the rights of the data subject.