Accelerate Time to GDPR Readiness with Traackr

Best Practices

The GDPR is coming

On May 25, 2018, the European Union’s (EU) new data protection framework, the General Data Protection Regulation (GDPR), will come into effect.  Traackr wholeheartedly supports the privacy rights of its customers and their users and is prepared for the GDPR and, as the leading influencer marketing platform, has thoughtfully assessed the implications of the GDPR on the influencer marketing space.  This document provides a high-level description of the GDPR and explains how the GDPR applies to Traackr’s influencer marketing platform.  By offering a central repository for influencer marketing data with a uniform security standard, Traackr offers its business customers a valuable tool in the toolkit for their own GDPR compliance efforts.

Description of the GDPR

The GDPR is a significant and wide-reaching data protection law that replaces the current inconsistent patchwork of EU data protection laws with one unified law.  It focuses on safeguarding individuals' privacy rights by regulating the processing of their personal data, enshrining significant rights over their data, and ensuring transparency into the nature, purpose, and use of personal data.

The scope of the GDPR is expansive and reaches businesses outside the EU.  The GDPR not only applies to any business established in the EU that processes personal data of EU residents (regardless of whether the processing takes place in the EU or not), but it also applies to businesses established outside the EU, where the processing relates to:  (i) offering goods or services to individuals in the EU, or (ii) monitoring behavior of individuals in the EU.  

In the GDPR context, “processing” broadly includes any type of collection, disclosure, handling, storage, or other use of personal data.  The definition of “personal data” is similarly broad, meaning any information relating to an identified or identifiable natural person.  For example, personal data would include names, email addresses, passwords, and social handles.

Finally, in order to assess the application of the GDPR, there are three classifications that need to be considered.  These classifications depend on the relationship to the personal data at issue.  

Data Subject

A data subject is the person to which the personal data relates.

Data Controller

A data controller is the entity that determines the purposes and means of the processing of personal data; and

Data Processor

A data processor is the entity that processes information on behalf of a data controller.

How Does the GDPR Apply to Traackr’s Platform?

The GDPR applies to the Traackr platform through the platform’s interaction with three categories of personal data:

  • Traackr Influencer Data
  • CRM-Stored Influencer Data
  • User Data

Traackr Influencer Data

Traackr Influencer Data is the information about the individuals that make up the online influencer ecosystem.  This information is collected and aggregated from publicly available data on the Internet; indexed, ranked, organized and analyzed using Traackr’s proprietary techniques and algorithms; and provided to Traackr’s customers on Traackr’s platform.  With respect to this category of personal data, Traackr is the data controller.

Traackr has been working closely with legal counsel, both in the United States and in Europe, in an effort to ensure that it meets its obligations as a data controller with respect to this class of personal data.  For Traackr, the provision of its influencer marketing platform, which has been shown to create significant value, not only for Traackr’s customers, but also for influencers themselves, is the legitimate interest for which it collects and processes influencer data.  As part of the GDPR compliance process, Traackr will be providing notice and an opt-out opportunity for all influencers whose personal data is included in the Traackr platform.

CRM-Stored Influencer Data

CRM-Stored Influencer Data is information the Traackr customer inputs into the customer’s Traackr account in the form of notes about particular influencers.  This information is viewable only by the customer that inputs the notes, is not accessible by Traackr’s other customers, and does not become part of Traackr’s general platform.  With respect to this data, Traackr is a data processor, and the customer that inputs this data into the customer’s account is the data controller.  This form of data excludes the publicly available Traackr Influencer Data described above, with respect to which Traackr is the data controller.

User Data

User Data is the information about the employees and agents of Traackr’s customers that Traackr collects in order to provide its service to the Traackr customer.  This information typically consists of users’ first and last names, email address, password to the Traackr platform and, occasionally and at the option of the user, the users’ social media handle(s).  With respect to this data, Traackr is a data processor, and the customer for whom the users work is the data controller.

Moreover, the GDPR regulates the transnational movement of personal data, namely data transfer.  If a data controller is based in the EU and is transferring personal data to a data processor that is based outside of the EU, the parties must take steps to ensure that the jurisdiction in which the data is going has an "adequate" level of protection.  Transferring data to a jurisdiction deemed by the EU as not having an “adequate” level of data protection (such as the United States) requires a data transfer mechanism. In this case, an acceptable data transfer mechanism is for the data exporter and data importer to enter into the standard contractual clauses approved by the European Commission. These standard contractual clauses are used to establish a sufficient level of protection over personal data held outside the EU. As a result, Traackr’s approach concerning CRM-Stored Influencer Data and User Data, over which Traackr’s customers have the role of data controller, is to enter into the standard contractual clauses with its customers.  

We have assessed the requirements of the GDPR and its impact on our influencer marketing platform to help support Traackr’s compliance - and our customers’ compliance - with the GDPR.  We will be keeping our customers informed as to future changes and updates that we make to our platform related to the implementation of GDPR compliance.

How Traackr can help

The Traackr platform provides the structure required to standardize, scale, and optimize best-in-class influencer marketing programs, including global influencer discovery, relationship management, and performance analytics. In so doing, Traackr offers its customers a powerful tool that they can leverage to help facilitate their own compliance with the GDPR. The Traackr platform empowers customers to do away with disparate spreadsheets or systems containing personal data of influencers across multiple divisions of their business with varying security standards and little transparency.  Instead, our platform offers the benefits of one transparent system-of-record:  a user-friendly, central repository for that influencer data.  Additionally, our customers can leverage the Traackr platform to assist their own regulatory compliance efforts by segregating access to influencer data over which they are the controller to certain individuals or divisions within their business enterprise. Traackr’s service also provides the benefits of a centralized platform with a uniform set of security standards that facilitates transparent record-keeping as relates to influencer data.

In a GDPR world, organizing influencer data through Traackr’s platform (in lieu of old-fashioned spreadsheets or isolated systems created in-house) is all the more compelling because of the roles and responsibilities that apply to influencer data within the framework of the GDPR.  Businesses that keep influencer data the old-fashioned way, collecting it themselves and storing it in spreadsheets on their own systems, are data controllers with respect to all of that influencer data, and have all the obligations with respect to that data that go with that moniker.  Conversely, when you use existing Traackr Influencer Data on the Traackr platform, Traackr has the mantle of data controller with respect to that Traackr Influencer Data, as described above.

Note that this is the case solely for the Traackr Influencer Data – that is, influencer information that is collected and aggregated from publicly available data on the Internet; indexed, ranked, organized and analyzed using Traackr’s proprietary techniques and algorithms; and provided on a general basis to Traackr’s customers on Traackr’s platform. As described above, with respect to CRM-Stored Influencer Data – that is, information the Traackr customer inputs into the customer’s Traackr account in the form of notes about particular influencers, the Traackr customer remains the data controller under the GDPR. Nevertheless, the universe of influencer data over which the customer would have the obligations of a data controller is limited to that CRM-Stored Influencer Data set when customers use Traackr as their exclusive home for influencer data.

What Traackr customers should do

Traackr is actively working to ensure that its platform as well as the tools and features it provides its customers is GDPR compliant, not only for the benefit of Traackr but for our customers’ benefit as well.  Many responsibilities will remain with our customers, however, such as with respect to personal data over which our customers are data controllers, including CRM-Stored Influencer Data and User Data.  Despite the fact that data processors have certain responsibilities to protect personal data entrusted to them, the ultimate responsibility for the personal data rests with the data controller.  Thus, we advise that you work with your legal counsel and other professional advisers to craft a GDPR compliance plan that conforms to the law and is appropriate for your business.

Additional resources about the GDPR:

More News