PowerReviews and GDPR Compliance

GDPR compliance featured image

In anticipation of the May 25, 2018 enforcement date of the European Union’s General Data Protection Regulation (GDPR), PowerReviews is hard at work implementing its compliance program. To learn more about the newest change in data privacy regulation and what it means for PowerReviews clients please read below.

What is the GDPR?

The GDPR ensures greater protection of personal data for people in the European Union (EU). It includes a comprehensive definition of “personal data” and any information that can be used to identify someone.  Some examples of personal data include names, photos, email addresses, IP addresses, and posts on social networking sites.

Further, GDPR also ensures that people in the EU have rights to, and control of, their data. Basically, the GDPR empowers EU consumers by giving them more control of their personal data, and by requiring controllers and processors of this personal data to better protect their personally identifiable information. The fundamental rights of these EU consumers include the right of access to their personal data, the right to rectification of this data, the right to be forgotten (erasure), the right to restriction of processing, the right to data portability and the right to object.

What role does PowerReviews play in data collection?

PowerReviews is a processor of personal data. We collect and process personal data — ratings and reviews, photos and videos, questions and answers — on behalf of our clients, which are brands and retailers all over the world. Our clients are the controllers of data. They instruct us regarding the personal data that we process and control what content appears on their sites.

What can PowerReviews clients expect?

To facilitate our clients’ compliance of the requirement to have a contract with us for us to process personal data, PowerReviews is providing our clients a GDPR Addendum to their services agreement with PowerReviews. The GDPR Addendum contains all the terms and commitments required by the GDPR for compliant contracts between controllers and processors or processors and subprocessors. It’s specifically tailored to the PowerReviews platform and, when entered into, modifies your services agreement to align with the GDPR.

The GDPR requires affirmative consent on the “Write a Review” (WAR) form for EU locales. Consent is a big deal. It’s in your hands, as clients and controllers of data, to make sure that you are obtaining the appropriate consents and/or that you have other adequate legal basis to allow PowerReviews to process the data that we are collecting on your behalf.  Our platform requires our clients to include a checkbox next to the privacy policy on the WAR form so the end-user can opt in to sharing this data. Clients are required to make this mandatory for end-users to submit a review. Clients have some control over the language and formatting of the WAR form, so all final versions should be reviewed by your counsel.  

We suggest our clients review and update their privacy policy as necessary, to make sure it grants PowerReviews proper permissions to process data on our clients’ behalf. Please note that data will be transferred outside the EU for PowerReviews processing, so please make sure that your privacy policy takes that into account.

Cross-Border Data Transfers

PowerReviews takes privacy very seriously. We treat the data that our clients collect and use on our platform with the utmost sensitivity and employ strict policies and protections to help ensure the privacy of that information. PowerReviews is certified under both the EU-US Privacy Shield and the Swiss-US Privacy Shield Frameworks — which complement the GDPR.  

The EU-US and Swiss-US Privacy Shield Frameworks are mechanisms composed of data protection principles agreed upon by the US Department of Commerce with both the European Commission (EC) and the Swiss Federal Data Protection and Information Commissioner to facilitate data transfers between the European Economic Area (EEA) and the US and Switzerland and the US.

Who needs to enter into PowerReviews’ GDPR Addendum?

For any question involving the interpretation or applicability of the GDPR, you should consult with your legal counsel. In general, a client should enter into the GDPR Addendum if it:

  1. Has an establishment in the European Union or European Economic Area, regardless of whether the processing takes place in the EU/EEA or not
  2. Offers goods or services, irrespective of whether payment is required, to data subjects in the EU/EEA
  3. Monitors the behavior of data subjects that takes place within the EU/EEA

A client does not need to enter into the GDPR Addendum if it does not process any personal data from Europe through its PowerReviews services.

Data Protection Going Forward

PowerReviews is — and always has been — committed to protecting the data of consumers who use our technology all around the world.  It’s up to both PowerReviews and our clients to ensure the security of personal data collected and processed on the PowerReviews platform.  It’s a team effort.

PowerReviews has been taking steps to prepare for the GDPR, including:

  • Assembling a team committed to ensuring continued compliance with the GDPR
  • Performing a gap assessment, which includes mapping our data, to ensure we’re meeting all business requirements. Data mapping shows us exactly what data we have and where we are sending it, so we know what, where, when and how our data is received, collected and processed
  • Helping our clients (the controllers) to comply with requests related to personal data of individuals in the EU in a timely manner. An example of a possible request would be if a customer asks for all of their personal information to be deleted. We do this by knowing exactly what data we have and where it’s located
  • Updating vendor contracts and executing addenda when necessary
  • Reviewing internal processes to ensure that they line up with GDPR guidelines and requirements
  • Staying up to date on guidance being issued for the GDPR, as it continues to evolve
  • Performing internal trainings for the PowerReviews team

In addition to the steps that we’re taking to ensure the compliance mentioned above, each PowerReviews client needs to do its own internal analysis and consult their own attorney to ensure they’re compliant.

Here are some of the steps PowerReviews recommends to our clients, to ensure that they’re compliant with the GDPR.

  • Enter into the GDPR Addendum
  • Have your counsel review your own privacy policy
  • Obtain the permissions necessary for PowerReviews to process data on your behalf
  • Include a way for consumers to show affirmative consent (like a checkbox) on the Write a Review form, if that is your legal basis for the processing of the data

What if I have additional questions?

Please keep in mind that this page does not cover every aspect of EU data privacy, nor should you consider it legal advice.  This is meant to provide background information and help you better understand PowerReviews’ strategy to comply with the GDPR.  Should you have questions about the GDPR Addendum, please contact your PowerReviews representative. Should you have questions about the GDPR in general, please contact your legal counsel.