Vee Punia, Q4’s Director of IT & Infrastructure, explained the basics of General Data Protection Regulation (GDPR) in a blog post which you can read here.

Q4 plans on being fully compliant by the GDPR’s effective date of May 25th, 2018. You can follow along with our progress by checking up on our GDPR Readiness Statement.

A blog post of questions for your organization to prioritize when considering GDPR has been published for your convenience.

• What does Q4 recommend?

  Q4 recommends that you use clear and unambiguous language, are specific about the type of information that will be received, as well as transparent if there is any sharing of users’ information. You can review our blog post on Email Alert Recommendations for further details.

• Do I need to re-obtain consent from my subscribers?

  If you believe that your organization has sufficient documentation to demonstrate proper consent mechanisms, meets GDPR standards, or is able to use any of the other five lawful bases for processing of personal data, then it may not be required to re-obtain consent. However, please note that your organization’s circumstances may vary, so please ensure that you review this recommendation with your legal counsel.

  Email subscribers who have been obtained through your Q4-hosted site are validated and recorded as such. For each subscriber, Q4 tracks the exact date & time when they provided their email address and, additionally, can confirm whether they had activated their email subscription or not as part of the double opt-in process.

According to the GDPR, our clients would be considered Data Controllers (or those who determine what and how data is to be processed). On the other hand, Q4 provides the tools to obtain personal data and would be the Processor (in other words, we process data on behalf of our clients).

Should Q4 receive a Subject Access Request (or request about what personal information is stored) directly from a Data Subject or the individual whose personal data is processed, we will ask the data subject to contact the organization they provided their information to.

In turn, when our clients (the controller) reach out to us for assistance in providing the information that a data subject has requested, Q4 will work directly with our clients as part of our GDPR obligation.

It is important to note that the responsibility of ensuring the identity of the data subject rests upon the Controller. The GDPR expects controllers to make use of appropriate means in this regard and we encourage our clients to work with their legal teams to determine the best way to accomplish this.

No user traffic or web analytics data is stored with Q4. All data is sent to Google and accessed from the CMS through the Google Analytics API.

For Google Analytics profiles managed by clients and used within our products, Q4 recommends the following actions:

• Accept Google’s Data Processing Agreement: https://support.google.com/analytics/answer/3379636?hl=en

• Let our Support Team know if you use any filters that involve IP addresses and would like to continue to do so once the GDPR is in effect. By May 25th, Q4 will be anonymizing IP addresses, so these filters will be affected. You can learn more about IP Anonymization here: https://support.google.com/analytics/answer/2763052?hl=en

• Review your data retention controls. Additional information can be found here: https://support.google.com/analytics/answer/7667196

Please note that these are Q4’s recommendations only and we encourage our clients to work with their legal and IT teams to determine the scope of GDPR’s applicability within their organizations.

A list of current sub-processors and their roles can be found here: Sub-processors of private data