Promotion Security & GDPR Compliance: An Overview
GDPR and CPPA compliance come standard with PromoPick and we exercise industry standard best practices with database security and consumer data handling. Additionally, we are able to arrange database compliance with other or anticipated future enacted policies as needed due to the flexible. As per company policy, all data we collect through digital promotions is destroyed 90 days after the promotion is over.
Tracked and segregated personally identifiable information (PII) collected through promotional registration allows us to easily adapt to new requirements that may arise based on new legislature. On a per-promotion level this information is all stored in a single table, which is encrypted in the database, utilizing hash values for comparison, additionally stated in Realtime Media’s in-house data policy.
We have offered full GDPR compliance and support since the regulation was initially introduced. Our environment, business processes and technology all adhered to the guidelines as established in GDPR, including:
- A manual opt-in consenting to data usage rights at registration.
All internal processes for CCPA compliance have been in-place as of January 1st, 2020, the official enactment of the law. This includes, but is not limited to, engineering internal workflows and infrastructure-wide tools we can use to identify all data we may have on any individual requesting information about the use of their data. Realtime Media is a flexible technology partner an, whenever possible, operates to champion the individual privacy policies’ of clients.
In addition, and when necessary, Realtime Media’s in-house data security policy and practices are enacted to ensure full legal compliance for the intake and response to consumer requests.
Our backend systems are designed to operate publicly only over secure web protocols, and we leverage industry leading third party services for protective content management & storage, encryption, and bot/fraud detection.
All consumer data is encrypted using RSA 256 and all consumer data at REST outside of promotional databases are encrypted using PGP. As a standard inclusion with all promotions, microsites have SSL certificates and any captured data is transferred over SFTP or encrypted API connections.
Additionally, we follow standards defined by ISO 27001 as well as other industry best practices. The key byproducts include fully encrypted data in all states, server permissions limited as needed to systems accounts, back-end developers and our IT lead.
All promotional databases are segregated both brand and again by promotion, which allows for logical separation of data. Further more, this creates easy user flows for analytical measure such as metric comparison at the promotion and brand level and provides a firm grasp on data location and retention.
This structure, in turn, allows for the easy compliance of internal data policy as well as the handling of CCPA and GDPR consumer requests.