On May 25, 2018, the EU General Data Protection Regulation (GDPR) will become effective bringing new global data protection rights for individuals in the European Union.
FullStory wholeheartedly supports the privacy rights of its customers and their users and is proactively working toward GDPR compliance by May 25, 2018.
In addition to its commitment to GDPR, FullStory is certified under both the EU-U.S. and Swiss-U.S. Privacy Shield Framework. FullStory offers a data processing agreement (DPA) for customers processing information on behalf of EU and Swiss citizens. Please contact firstname.lastname@example.org for more information.
As we all work to understand and apply GDPR concepts to our own businesses, we’ve created the below outline to keep you informed of our efforts. We’ll be proactively reaching out to our entire customer base once we have best practices to share.
In this article we'll share:
Consult with internal and external counsel to understand legal interpretations of the GDPR requirements
Work with other leading technology firms to understand the market’s general interpretation and best practices
Perform a Data Protection Impact Assessment as a security review to determine compliance with GDPR security requirements and industry best standards.
Based on our research, we’re developing our working interpretative model as a reference and guide for internal processes
Using our research and model, we’re defining the product roadmap necessary to allow FullStory as Controller and FullStory as Processor to work toward compliance with GDPR
Our DPA is being revised to reflect both regulatory and operational changes related to GDPR
Product & Process implementation
We are beginning to implement pieces of the compliance roadmap within our product offering.
We are reviewing all vendors who act as sub-processors for FullStory data, auditing their approach to GDPR, and entering into DPAs where necessary.
Communication & messaging
Finalize and communicate strategy to customers
Product strategy is being finalized, and a definitive list of changes is forthcoming. You can expect to see product changes relating to:
User identification processes and mechanisms
Handling of IP address recording and retention
Deletion mechanisms specific to identified users
Functionality that allows you to tie consent to session recording rules
More fine-grained exclusion / recording mechanisms
It is important to note that FullStory is acting both as a Data Controller and as a Data Processor within the realm of GDPR compliance.
We are a controller with respect to our visitors and customers interacting with any domain within our control (e.g. www.fullstory.com, app.fullstory.com, help.fullstory.com, blog.fullstory.com, etc.).
We are a processor (and occasionally a subprocessor) with respect to the end users whose data FullStory receives: our customers’ users.
As a customer of FullStory, you are a data controller and FullStory is acting as your data processor for your users. In this respect, you’ll want to take the following steps as we approach May 25th:
If you have customers in the EU, we’ll be providing an updated DPA to get signed. Email email@example.com for more information.
Perform your own research, modeling, vendor audit, and strategy steps at your company to ensure you understand GDPR as it applies to your business.
Be thinking about how you’ll handle Consent on your site. The consent rules you set will directly impact your FullStory exclusions list.
Watch for updates from FullStory related to product functionality or T&C changes.
The FullStory team awaits your every question.Contact Us