GDPR data management¶
As of 25 May 2018, the European Union's General Data Protection Regulation (GDPR) will be the new primary law regulating how companies have to treat and protect the personal data of EU residents.
Retailers most likely store personal information about their visitors in their own systems. However, as Voyado Elevate 3 manages behavioral data, it also makes a retailer's Elevate implementation a part of a retailer being overall compliant with the new legislation.
Voyado Elevate 3 and GDPR¶
The two most notable points for retailers regarding GDPR compliance when using Voyado Elevate 3 are the following:
- Never create and use customer keys based on personal information such as user names or email addresses.
- Plan for how to manage and use the GDPR API to export, download, and remove behavioral data.
Voyado Elevate 3 primarily stores personal data in the form of the
customerKey and the
sessionKey of visitors, where the keys can be associated with clicks and purchases. A
sessionKey can associate with multiple
IP-addresses are not stored persistently in Elevate 3 Enterprise. An address is only stored temporarily in the memory of an active Elevate instance until a newer request from the same user agent is made, or if an instance is reset during an upgrade or reboot. A maximum of 1000 IP-addresses are stored simultaneously. For internal troubleshooting purposes, a
customerKey and a
sessionKey can be connected to an IP-address during the temporary storage of the IP-address.
sessionKey data are stored for 1 year and are then automatically removed by Elevate. They can be removed earlier with the GDPR API and the Remove customer data end point. The automatic removal time can be configured to run at shorter or longer intervals. For more information about configuring automatic removal times, contact Voyado Lund Support.
The GDPR API is part of the Voyado Elevate 3 Web API. It is used to execute queries enabling functions supporting the Right to access, Right to portability, and the Right to be forgotten.
To be fully compliant with GDPR in regards to Voyado Elevate 3 data, a retailer is likely to have to implement necessary functions for managing GDPR related requests from their visitors.
When executing queries with the GDPR API, basic HTTP authentication with Elevate cluster credentials is required.
Please see the official GPDR homepage for more information regarding the European Union’s General Data Protection Regulation.
For more information regarding GDPR compliance with Voyado Elevate without the Web API, please see Apptus Connector Docs for Java, .NET, or PHP.