Brandwatch and the GDPR: What You Need to Know Product

By Natalie Meehan on May 16th 2018

Unless you’ve been somewhere with no access to the tv, your email account, or anyone who you work with, you’ll have heard about the GDPR.

Those four little letters have been cropping up everywhere of late, as the new ‘General Data Protection Regulation’ is due to come into effect on May 25th 2018. Thus, you’ll have received circa one billion marketing emails asking you to opt in to communications, and although it’s tempting to skip past them, GDPR is actually pretty important for you to know about – as it’s about your personal data, and how it’s used by companies.

As it’s such an important topic, and we work with data every day, we thought it was high time we shared our FAQs with you on how Brandwatch is approaching the GDPR and data privacy generally.

The below FAQ might sound serious and in legal-speak, and that’s because it is. When we aren’t thrilling you with content on Super Mario’s nipples, or a deep dive into the online world of Lego, we’re actually really, truly, madly, deeply serious about data. Plus, if I change our Head of Legal’s words, he’ll hunt me down. And we definitely do not want that. I still have so much to give!

If you have any questions that are not answered by this FAQ, please get in touch with your sales representative, customer success or account manager, or feel free to comment below.

Get ready to get schooled on the GDPR. Your watercooler moment where you’re able to stun your colleagues with your endless knowledge and huge brain awaits.

Brandwatch and the GDPR: FAQs

Q: Does Brandwatch comply with the GDPR?

A: Yes.

Q: Does the GDPR apply to Brandwatch’s services?

A: The GDPR applies to the processing of personal data. Personal data means any information relating to an identified or identifiable natural person. Brandwatch offers a variety of services, each of which require a different analysis under the GDPR.

Analytics/Images, Audiences, and BuzzSumo (“Analytics Services”)
Analytics Services are personal data agnostic. These Analytics Services are based on analyzing large sets of free text data/images. This means that, while processing personal data is not the core point of the Analytics Services, it is likely that there is personal data in the Brandwatch database. For example, some users on Twitter verify their account. Where a user’s account is verified, that user’s username and accompanying Tweets are personal data. Because of the difficulty in analyzing on a post-by-post basis whether information is personal data, Brandwatch chooses to treat its entire database of mentions as if it contained all personal data.

Vizia
For Vizia, Brandwatch acts as a data processor and the GDPR applies where the data within Vizia is personal data.

Q: Is Brandwatch a data controller or a data processor with respect to its Analytics Services?

A: For its Analytics Services, Brandwatch makes decisions about which websites it crawls, what data it collects, and how and why this data is used in connection with its services. This decision is based on the fact that these services and any related processing are not specific to any particular customer and could not therefore be said to be only “on the instructions” of any such customer. Therefore, for the Analytics Services that contain personal data, Brandwatch considers itself a data controller under the GDPR.

Q: Is Brandwatch a data controller or data processor with respect to Vizia?

A: Historically, Vizia only displayed data from Analytics (another Brandwatch service). Where only data from Analytics is displayed, Brandwatch is still a data controller. This is because the data that Vizia is processing is Brandwatch’s own data source (for which Brandwatch is a data controller). However, Brandwatch has built a developer ecosystem that allows its customers to build their own software applications to sit on top of Vizia, displaying customers’ own data. Where a customer has built their own software application, and that application has personal data in it, Brandwatch is a data processor and the customer is a data controller of that personal data. This is because Brandwatch is only processing personal data on the customer’s behalf (i.e. to run and operate the customer’s application).

Q: If Brandwatch is a data controller for its Analytics Services, what are its customers?

A: For all Analytics Services, Brandwatch’s customers are also data controllers in respect of the personal data which customers process through the use of the Analytics Services. The reason is that, under the GDPR, a person must be a data processor or a data controller. A data processor processes data on behalf of the data controller. Since Brandwatch’s customers do not process personal data on Brandwatch’s behalf, Brandwatch’s customers must be data controllers under the GDPR for the Analytics Services.

Q: What is the legal basis on which Brandwatch processes personal data for its Analytics Services?

A: The primary legal basis on which Brandwatch processes personal data when performing the Analytics Services is the legitimate interests of the data controller. This legal basis requires a balancing of the legitimate interests of the data controller with the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The data that Brandwatch processes from the Analytics Services is all publicly available – and made available – by the particular social media author him or herself. Brandwatch therefore believes that the interests, fundamental rights and freedoms of data subjects are not prejudiced or overridden in the context of its processing of social media data that is (1) publicly available and (2) can be made private at anytime by the social media author him or herself. The social media authors have significant levels of control over the availability of their personal data on the underlying websites, including (e.g.) setting their Twitter account to private.

Q: Where does Brandwatch store the personal data that it processes?

A: The personal data that forms part of the Analytics database is stored on servers that Brandwatch owns and manages, hosted with colocation providers in the UK. Brandwatch policy requires the use of Tier 3 rated data centres with suitable physical and environment security. Brandwatch’s data centre providers maintain their own ISO27001 accreditation, along with other relevant physical security, environmental and quality certification. Brandwatch’s Audiences and BuzzSumo services are hosted by third party cloud providers, in Ireland and Canada respectively. Brandwatch’s Image Analysis service is hosted both within the Analytics database and by a third party provider in Ireland. The personal data in Vizia is hosted by a cloud provider in the UK.

Q: Does Brandwatch export any personal data outside of the European Economic Area?

A: Other than BuzzSumo, which is hosted on servers in Canada, none of Brandwatch’s services currently export any personal data outside of the European Economic Area. However, via the API or the export functionality of Analytics and Audiences, customers can technically export data from Brandwatch’s UK servers to non-EEA countries. This export will depend on the ultimate location of the customer device that exports the data.

Q: Are Brandwatch’s systems that process personal data secure?

A: Yes. Brandwatch has its own ISO27001 certification that covers the hosting, development and support for its applications and data, including the servers that host the personal data within Analytics and Vizia. Brandwatch has technical and organisational measures in place to protect against unauthorised or unlawful processing of data and against accidental loss, destruction or damage. Where Brandwatch uses third party cloud providers, those providers are industry-leading, including AWS and Google Cloud. In addition, Brandwatch applies its own security policy and process to the management and provision of any third party systems and services.

Q: How does Brandwatch ensure its services comply with the GDPR?

A:
 Brandwatch has appointed privacy champions on its engineering and product teams. These individuals are tasked with incorporating privacy by design principles when developing services for Brandwatch. Brandwatch also implements Privacy Impact Assessments, where required, in accordance with the GDPR. Finally, Brandwatch has an information security engineer and legal counsel that oversee privacy-related matters.

Q: Is Brandwatch Privacy Shield certified?

A: No. Brandwatch has taken the view that a Privacy Shield certification is unnecessary because it does not itself export any data from the European Economic Area to the US.

So, well done for getting to the end of that. You’re now up to speed, and know everything there is to know about Brandwatch and how we comply with GDPR.

And just to finish, a reminder once again that we’ll be more than happy to go through any of your questions in further detail – just get in touch via the comments section below, or through your sales representative, customer success or account manager. Your peace of mind around data is incredibly important to us, and we look forward to your comments.


Brandwatch Analytics

The world-leading social listening platform.

Find out more

Natalie Meehan

@Natalie_KateM

Natalie has worked in marketing for a decade, and is the Head of Content and Social at Brandwatch. She'll put an egg on almost anything.