On May 25, 2018 the EU General Data Protection Regulation (GDPR) became enforceable, bringing new global data protection rights for individuals in the European Union. FullStory wholeheartedly supports the privacy rights of its customers and their users.
In addition to its commitment to GDPR, FullStory is certified under both the EU-U.S. and Swiss-U.S. Privacy Shield Framework. FullStory offers a data processing agreement (DPA) for customers processing information on behalf of EU and Swiss citizens.
As we all work to understand and apply GDPR concepts to our own businesses, we’ve created the below outline to keep you informed of our efforts.
In this article we'll share:
- What steps have we taken to comply with GDPR?
- What product changes have we made in anticipation of GDPR?
- How are we thinking about compliance for our customers and what do you need to do?
What steps have we taken to comply with GDPR?
Consult with internal and external counsel to understand legal interpretations of the GDPR requirements
Work with other leading technology firms to understand the market’s general interpretation and best practices
Perform a Data Protection Impact Assessment as a security review to determine compliance with GDPR security requirements and industry best standards
Our DPA has been revised to reflect both regulatory and operational changes related to GDPR.
Initial Product strategy
Using our research and model, we’ve executed the product roadmap necessary to allow FullStory as Controller and FullStory as Processor to become compliant with GDPR.
We have reviewed all vendors who act as sub-processors for FullStory data, auditing their approach to GDPR and entering into DPAs where necessary.
Based on our research, we’ve developed our working interpretative model as a reference and guide for internal processes.
Ongoing Product strategy
While we have completed an initial set of product changes related to GDPR, we will continually be evaluating and adding new security and privacy functionality in FullStory
Ongoing communication & messaging
Subscribe to our GDPR Updates mailing list to be kept in the loop.
What product changes have we made in anticipation of GDPR?
- Ability to discard IP addresses and exclude them from the UI
- Ability to delete an individual within the UI or with deleteIndividual API, and receive an audit log
- Finer-grained exclusion / recording mechanisms using the FS.consent() API
- Ability to download user specific data for Rights to Access and Data Portability
Product strategy will continue to evolve around GDPR. Future product changes that you may see include:
- User identification processes and mechanisms
- Retroactive deletion of specific field captures
- Active monitoring & alerting around recorded data that appears sensitive
How are we thinking about compliance for our customers and what do you need to do?
It is important to note that FullStory is acting both as a Data Controller and as a Data Processor within the realm of GDPR compliance.
We are a controller with respect to our visitors and customers interacting with any domain within our control (e.g. www.fullstory.com, app.fullstory.com, help.fullstory.com, blog.fullstory.com, etc.).
We are a processor (and occasionally a subprocessor) with respect to the end users whose data FullStory receives: our customers’ users.
As a customer of FullStory, you are a data controller and FullStory is acting as your data processor for your users. In this respect, you’ll want to take the following steps:
Perform your own research, modeling, vendor audit, and strategy steps at your company to ensure you understand GDPR as it applies to your business.
Think about how you’ll handle Consent on your site. The consent rules you set will directly impact your FullStory exclusions list.
Watch for updates from FullStory related to product functionality or T&C changes.