Since 2005, we’ve been helping brands and retailers amplify the voices of their customers through everything from ratings and reviews to social media. In that time, we’ve also worked tirelessly to secure and protect the data of our brands and retailers and all of their many customers.
That’s why when we first heard about the European Union’s (EU) General Data Protection Regulation, more commonly called GDPR, we immediately got to work.
GDPR marks one of the biggest shifts in EU privacy law in more than 20 years and sets firm rules for how businesses collect, store, and process customer data. Designed to protect the privacy and personal data of all EU residents, GDPR mandates that all organizations operating in the EU operate under comprehensive rules, including:
- Privacy by design: Consideration of privacy must be integral to doing business and in all aspects of data management.
- Minimisation: If you collect the personal data of EU residents, you can only store and process data that is absolutely necessary — and you must limit all internal access to this personal data to only those individuals who “need to know.”
- Accountability: All use of personal data is done under a solid legal, basis that can be demonstrated by all those involved.
- Right to access: You must provide any EU resident with access to their stored personal data upon request.
- Right to erasure: Otherwise known as the “right to be forgotten,” you must erase an individual’s personal data upon request.
- Data portability: You must offer individuals a way to transfer their data to another provider upon request.
- Data protection officers: If you process personal data on a large scale, you must assign a qualified data protection officer to oversee and ensure compliance with GDPR.
At Bazaarvoice, we’re happy to say we expect our services will be fully GDPR compliant by March 2018, well before it goes into effect in May 2018. To ensure our compliance, we will bring in an external auditor early next year to check our systems, processes, and data flows to make sure we are fully in line with all the requirements.
This will mark the end of a journey more than two years in the making.
As soon as the ink dried on the final draft of GDPR in 2016, we started working full speed toward compliance. That meant reading carefully through every requirement, figuring out what we needed to do, and getting the full support of our CEO Gene Austin to make the necessary changes.
From the beginning, we made sure that everyone at the highest levels of Bazaarvoice was aware of the importance of GDPR and the resources and time we’d have to dedicate to make sure we would be fully compliant. We came away with a cross-functional team of people, running the gamut from IT, engineering, legal, and marketing.
In our offices in London, Belfast, Paris, Munich, and Amsterdam, we put into place a full on-the-ground effort to make every provision of GDPR a cornerstone of our business. In our offices in the US, we put our product and engineering teams to work localizing EU operations wherever possible and evaluating all of our data flows and databases.
Strangely enough, this wasn’t as difficult as you might expect.
Customer trust is at the heart of everything we do at Bazaarvoice and is an essential part of our DNA. Every day, our clients trust us to be guardians of their brands and, with a team of more than 400 human moderators, we work tirelessly to do just that in more than 37 languages. And every day, people trust the reviews they read online to make buying decisions.
Securing that trust means that we’re dealing with security and privacy every day. It’s vital to who we are and what we do — and everyone here takes their responsibility to protect our clients and their customers seriously.
In the EU, we’ve always used Germany as our benchmark for privacy and data protection. Germany is well known for having the strictest privacy laws in the EU, and we’ve worked every year with an external auditor to make sure our data management practices are fully compliant with those laws.
This put us in a good position with regard to GDPR. Operationally, there hasn’t been much we’ve had to change. Instead, most of our efforts have centered around accountability and building out processes, reporting, and documentation that shows exactly where everything is, how’s it being used, and who has access to it.
Moving forward, I will serve as Bazaarvoice’s Data Protection Officer in the EU, making it my responsibility to ensure compliance with GDPR in all of our work in Europe. My counterpart will be Nicholas Campbell, who will serve as our Data Protection Officer for the US. Together, we will work with our Information Security Officer, Anji Greene, and a cross-functional team to continuously test our systems, processes, and reporting standards.
In our mission to bring brands and retailers closer to their customers, we’ve always believed trust is the most important metric of success. When it comes to building trust, security and privacy are paramount. At Bazaarvoice, this informs everything we do.
In many ways, GDPR puts into law something Bazaarvoice has always believed: your information should be your own and you should always be in charge of how and when it is used. From giving the individual more protection of their rights in this continually data-driven world to promoting a more harmonized privacy landscape, GDPR is a monumental step forward and one that Bazaarvoice welcomes wholeheartedly.
If you have any questions about Bazaarvoice’s compliance with GDPR, please reach out to Angela Boswell, Bazaarvoice’s chief EU legal representative and Data Protection Officer.