In 2018, the European Union (EU) introduced a new regulation, known as the General Data Protection Regulation (GDPR). Though the document itself is extremely complicated with 11 chapters, 99 articles, and 261 pages, its purpose is straightforward - it sets rules for companies on how to manage your personal information.
Let's say you're on Google, searching "What is GDPR" and you click on an article. A little pop-up might appear asking if you're okay with the website remembering some stuff about you. This happens because websites can keep track of information like where you're from or how much time you spend reading an article. This data helps them make their website better and show you ads you might like. This is done through something we call 'Cookies'. It's like a tiny digital crumb that helps the website remember you.
Thanks to GDPR, companies now need to ask you before they can use your data. It also means you have the right to know what data they have about you, ask for any mistakes to be corrected, or even have them forget all about you.
Data Controller vs. Data Processor
We now understand GDPR's role between individuals and organizations. But data processing in real life can be a bit more complicated.
Let's say I have a website where I collect visitors' emails to send newsletters. Since I'm deciding why and how these emails are used, I'm the "Data Controller".
But if I start getting so many emails that I decide to use a service like Mailchimp to help send out the newsletters, Mailchimp becomes the "Data Processor", and I'm still the "Data Controller". They're doing the job for me, but I'm the one giving instructions.
Product Analytics: June vs. Google Analytics
When it comes to product analytics, both June and Google Analytics are popular choices. But through the lens of GDPR, who's really in control of your data?
If you use Google Analytics, it's like giving Google the keys to your data. Here's how it works:
- Google picks what data to collect. This is Google's job as the Data Controller.
- Google processes that data. This is Google's job as the Data Processor.
As a Data Controller, Google can choose to turn your data into easy-to-read charts in Google Analytics. But it can also choose to mix this data with other services to show better ads with Google Search.
With June, it's different. You're the boss. You choose what data you want to collect. Tools like Segment or our own Software Development Kit (SDK) can help you do this. They collect your data and send it to us.
In this case, you're the Data Controller, and Segment and June are the Data Processors.
GDPR Policy Differences for Data Controllers and Data Processors
Data Controllers have more responsibilities. They need to get clear permission from people before using their data. They also need to make sure any Data Processor they use follows GDPR.
Data Processors, like June, must only do what the Controller tells them to.
How Does June Comply with GDPR as a Data Processor?
We take several steps to make sure we follow the GDPR:
- Security Measures: We are SOC II compliant, which means we follow industry standards to keep your data safe.
- Data Processing Agreement (DPA): GDPR requires a contract, or DPA, between the Controller and Processor. You can request a copy of our DPA through this link.
- Continuous GDPR monitoring: We use ZenDPA to monitor our GDPR compliance. They make sure our data processing agreements stay up to date and that all of our sub-processors are also GDPR compliant.
So, is June GDPR-compliant? The answer is yes!