DataSift GDPR: Platform and Process Compliance


#1

Purpose
This document provides guidelines to DataSift’s customers regarding the handling of public data with respect to GDPR compliance. It describes DataSift’s obligations as a Data Controller, purpose limitations, data minimization and Data Subject rights.

GDPR sets broad, ambitious goals, while leaving the details to be interpreted within each business and use-case. This document aims to reflect DataSift’s position and principles.

DataSift is a Data Controller
DataSift partners with a number of data publishers spanning Social, Editorial, Blogs, and other user-generated content.

Under GDPR, DataSift is classified as a data controller. DataSift’s technology allows our customers to acquire and analyze data, which is posted publicly.

Our legitimate interest is based on the public nature of the data we control:

  • Given the global reach, influence, and virality of data which is shared publicly, Businesses have a legitimate interest in analyzing/monitoring insights from this public data to identify potential reputational or operational risks that may affect their company or industry.
  • By publishing the processed data on a public website or social platform the data subjects indicate that they wish other people to see the content they have created or shared.
  • People expect customer service to be provided through social platforms. Without the ability to collect data, including personally identifiable information that is freely given publicly, businesses cannot respond.

Purpose Limitations
Based on our legitimate interest, we receive and distribute two types of content to our customers:

  • Content: Where the content is an online post, we include the author ‘handle’ as it is shown publicly. With this, companies can engage directly to content that mentions their company. We do not include any additional ‘profile data’ about authors beyond data which is publicly visible.
  • Engagement data: Some of the data feeds we receive also contain ‘engagement data’ in the form of a like, upvote, or downvote. In these cases, we anonymize the author data. We also provide anonymized ‘unlikes’ in our feed to customers to enable them to maintain an accurate count of the engagement around an item of content.

Data Minimization

Data collected on a subject should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” [article 5, clause 1.c].

DataSift supports Data Minimization in the following ways:

  • Our customers write filters to minimize the data they collect: When integrating with a data publisher, e.g. Social Platform, we receive a real-time data feed of activity on that platform into our service. Our customers can then use our filtering language and engine to filter for just the information that is relevant for their analysis. For example, listing a number of keywords that relate to their brand or marketing campaign.
  • We purge all data we received after 5 quarters: Most of the data we receive and distribute happens in real-time. For a small number of data partners, we retain a historic archive of data to enable companies to perform historical analysis, e.g. understanding the trends in social relating to a sporting event.

Data Subject Rights
As a Data Controller, data subjects have the following rights in regard to our service:

Right of access

Data Subjects have the right to know if DataSift store/process their personal data, what data is held on them, why DataSift has the data, what we do with it and who it is shared with.

Data Subjects can contact us at privacy@datasift.com to request the data that we hold on them, what we do with it, and who their data may have been distributed to.

We provide Data Subjects with a form where they can provide a list of the social/online handles that they use. Upon receipt of this, along with proof of identity, we can provide Data Subject with:

  • An extract of the data that we hold on the Data Subject in our historic archive
  • A list of the types of companies that may have accessed this data

Right to erasure

Data Subjects have the right to have their data deleted from our systems.

Data Subjects have the right for data to be removed from our service. By exercising this right, DataSift will:

  • Purge the Historic Archive of any matching data within a 30 day period
  • Stop collecting data about the Data Subject in our system

For DataSift customers: The public data you see on a social platform may not be reflected in the data you receive from us if the Data Subject has exercised the right to erasure.

Right to be forgotten

Data Subjects have the right to go beyond erasure to the right to be forgotten.

In addition to the ‘right to erasure’, if Data Subjects request ‘to be forgotten’, in addition to deleting all data we hold, our customers will receive a compliance ‘account delete’ message in their downstream data feed. In compliance with Terms of Service, customers must act on this to delete account data they hold about the data subject.

For DataSift customers: You may receive ‘account delete’ alerts from our service, even if the original account is active. You need to comply with these to delete any data you received from DataSift about the Data Subject.

Right to data portability

All data subjects have the right to receive a portable copy of their data in a machine readable form.

Where we hold data about an individual, we will provide data in a machine-readable JSON format.

Right to object to processing

Data Subjects have the right to object, regardless of the legitimate interest.

In cases where a Data Subject objects to processing, DataSift needs to collect a list of ‘handles’ for the platforms that DataSift partners with. With it, DataSift will add these identifiers to an exclude list to ensure that we do not collect data from that subject.

For DataSift customers: The public data you see on a social platform may not be reflected in the data you receive from us if the Data Subject has exercised the right to object to processing.