The GDPR (General Data Protection Regulation) is a piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union. It is considered to be the most significant piece of European data protection legislation to be introduced in the European Union (EU) in 20 years and will replace the the 1995 Data Protection Directive.
The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the European Union. The regulation will become effective and enforceable on May 25, 2018.
The GDPR regulates the processing of personal data (often referred to as Personally Identifiable Information, or PII) about individuals in the European Union including its collection, storage, transfer, or use. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “Data Subject”).
This legislation gives Data Subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect.
What We’re Doing
Gimbal began researching and pursuing compliance in 2017. The GDPR is a complex piece of legislation and we’ve been working with privacy experts and our attorneys to be sure you’re compliant with the GDPR. The privacy and security of our customers (and their customers) are of utmost importance to us.
Gimbal is fully committed to achieving and upholding ongoing compliance with GDPR prior to the effective date.
What is changing for Gimbal Media/Agency customers?
Gimbal Media does not collect any EU personal data, nor processes any personal data. Gimbal Media will neither be a Data Controller nor a Data Processor.
What is changing for Gimbal Enterprise customers?
Gimbal Enterprise Product after 25th May, 2018
Gimbal Enterprise product which includes Gimbal Manager, SDK, Beacons, and Gimbal Beacon Manager will be GDPR Compliant. We are providing two options for our customers:
Option 1: No Location Services in GDPR Regions
By default, Gimbal’s Location SDK will be instructed by Gimbal servers not to process (collect or report) any personal data from end-users who are in GDPR regions starting May 25th, 2018 without the need for the app being updated.
Note: Your application itself – independent of Gimbal – may be collecting data which may or may not be GDPR compliant.
Option 2: Developers Planning on Using Location-Based Services (via Geofences and Beacons) through Gimbal Location SDK
If you intend to offer location-based services using Gimbal SDK, your organization will be required to update your mobile application with the latest Gimbal SDK.
What is Gimbal’s approach to GDPR?
GDPR defines two different roles for organizations that come in contact with customer information. According to Article 4 of the EU GDPR, different roles are identified as indicated below:
- Controller “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.” In other words, they regulate the ‘how’ and ‘why’ information is collected.
- Processor “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” These groups handle the technical aspects for the data controller.
Gimbal helps our customers process their customer’s information, most often through their own mobile applications. According to GDPR, Gimbal is then considered a data processor and our customers as Data Controllers. Data Controllers can then analyze the data and use it for the purposes defined by the Consent form.
Which countries does GDPR apply?
GDPR applies to all EU member nations including Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK.
Does it apply to UK?
Yes, it applies to the United Kingdom as well. Please see https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/ for further details.
I am an App developer with Data Subjects in EU regions. Who is the Data Controller?
Gimbal’s technology helps our customers process their customer’s information through their own mobile applications. According to GDPR, our customers are then Data Controllers. It is important per GDPR that you, as a developer, have appropriate user consent for location data and it’s usage.
I am an App developer with Data Subjects in EU regions. Am I going to be GDPR Compliant?
Your application may be using other SDKs and may be collecting Data defined as Personal Data under GDPR. We recommend you do a Data Audit for your application and other SDKs you have.
As far as the Gimbal SDK is concerned, on or before 25th May, 2018 Gimbal will not collect Personal Data coming from EU regions in order for your mobile application to be GDPR compliant. However, you may have to update your application with the latest Gimbal SDK, Gimbal Manager configurations, and most importantly obtain user-consent in order to remain GDPR compliant.
Should you have any questions, please reach out to your Gimbal Representative or email firstname.lastname@example.org.
If you’re a Gimbal Manager customer, please visit our knowledge base for a deeper dive into GDPR