On May 25 2018, a new European privacy law, General Data Protection Regulation (GDPR), will come into effect that will require extensive changes by organizations with respect to the collection and processing of personal data.

The GDPR is considered a revolutionary change and is expected to set new standards on how such data is protected by organizations. For more information, here are a few questions to help you learn more about GDPR and how Q4 is getting ready.

What is GDPR?

Vee Punia, Q4’s Director of IT & Infrastructure, explained the basics of General Data Protection Regulation (GDPR) in a blog post which you can read here.

back to top

How is Q4 preparing to become GDPR compliant?

Q4 plans on being fully compliant by the GDPR’s effective date of May 25th, 2018. You can follow along with our progress by checking up on our GDPR Readiness Statement.

back to top

Where should you start in order become GDPR compliant?

A blog post of questions for your organization to prioritize when considering GDPR has been published for your convenience.

back to top

How do I ensure my Q4 email alerts are compliant?

  • What does Q4 recommend?

    Q4 recommends that you use clear and unambiguous language, are specific about the type of information that will be received, as well as transparent if there is any sharing of users’ information. You can review our blog post on Email Alert Recommendations for further details.

  • Do I need to re-obtain consent from my subscribers?

    If you believe that your organization has sufficient documentation to demonstrate proper consent mechanisms, meets GDPR standards, or is able to use any of the other five lawful bases for processing of personal data, then it may not be required to re-obtain consent. However, please note that your organization’s circumstances may vary, so please ensure that you review this recommendation with your legal counsel.

    Email subscribers who have been obtained through your Q4-hosted site are validated and recorded as such. For each subscriber, Q4 tracks the exact date & time when they provided their email address and, additionally, can confirm whether they had activated their email subscription or not as part of the double opt-in process.

back to top

How does Q4 handle Subject Access Requests?

According to the GDPR, our clients would be considered Data Controllers (or those who determine what and how data is to be processed). On the other hand, Q4 provides the tools to obtain personal data and would be the Processor (in other words, we process data on behalf of our clients).

Should Q4 receive a Subject Access Request (or request about what personal information is stored) directly from a Data Subject or the individual whose personal data is processed, we will ask the data subject to contact the organization they provided their information to.

In turn, when our clients (the controller) reach out to us for assistance in providing the information that a data subject has requested, Q4 will work directly with our clients as part of our GDPR obligation.

It is important to note that the responsibility of ensuring the identity of the data subject rests upon the Controller. The GDPR expects controllers to make use of appropriate means in this regard and we encourage our clients to work with their legal teams to determine the best way to accomplish this.

back to top

Does Q4 store any of the data from Google Analytics?

No user traffic or web analytics data is stored with Q4. All data is sent to Google and accessed from the CMS through the Google Analytics API.

For Google Analytics profiles managed by clients and used within our products, Q4 recommends the following actions:

Please note that these are Q4’s recommendations only and we encourage our clients to work with their legal and IT teams to determine the scope of GDPR’s applicability within their organizations.

back to top

What 3rd parties are potentially involved in the handling of private data for Q4 services and products?

A list of current sub-processors and their roles can be found here: Sub-processors of private data

back to top