The European Commission adopted the General Data Protection Regulation (“GDPR”). The GDPR applies from 25 May 2018. The GDPR replaces the 1995 Data Protection Directive (“Directive”). The GDPR is, essentially, an upgrade from the Directive. The purpose of this FAQ is to set out for our customers how Brandwatch is approaching the GDPR and data privacy generally. If you have any questions that are not answered by this FAQ, please get in touch with your sales representative, customer success or account manager.
Q: Does Brandwatch comply with the GDPR?
Q: Does the GDPR apply to Brandwatch’s services?
A: The GDPR applies to the processing of personal data. Personal data means any information relating to an identified or identifiable natural person. Brandwatch offers a variety of services, each of which require a different analysis under the GDPR.
Analytics/Images, Audiences, and BuzzSumo (“Analytics Services”)?
Analytics services are personal data agnostic. These Analytics Services are based on analyzing large sets of free text data/images. This means that, while processing personal data is not the core point of the Analytics Services, it is likely that there is personal data in the Brandwatch database. For example, some users on Twitter verify their account. Where a user’s account is verified, that user’s username and accompanying Tweets are personal data. Because of the difficulty in analyzing on a post-by-post basis whether information is personal data, Brandwatch chooses to treat its entire database of mentions as if it contained all personal data.
For Vizia, Brandwatch acts as a data processor and the GDPR applies where the data within Vizia is personal data.
Q: Is Brandwatch a data controller or a data processor with respect to its Analytics Services?
A: For its Analytics Services, Brandwatch makes decisions about which websites it crawls, what data it collects, and how and why this data is used in connection with its services. This decision is based on the fact that these services and any related processing are not specific to any particular customer and could not therefore be said to be only “on the instructions” of any such customer. Therefore, for the Analytics Services that contain personal data, Brandwatch considers itself a data controller under the GDPR.
Q: Is Brandwatch a data controller or data processor with respect to Vizia?
A: Historically, Vizia only displayed data from Analytics (another Brandwatch service). Where only data from Analytics is displayed, Brandwatch is still a data controller. This is because the data that Vizia is processing is Brandwatch’s own data source (for which Brandwatch is a data controller). However, Brandwatch has built a developer ecosystem that allows its customers to build their own software applications to sit on top of Vizia, displaying customers’ own data. Where a customer has built their own software application, and that application has personal data in it, Brandwatch is a data processor and the customer is a data controller of that personal data. This is because Brandwatch is only processing personal data on the customer’s behalf (i.e. to run and operate the customer’s application).
Q: If Brandwatch is a data controller for its Analytics Services, what are its customers?
A: For all Analytics Services, Brandwatch’s customers are also data controllers in respect of the personal data which customers process through the use of the Analytics Services. The reason is that, under the GDPR, a person must be a data processor or a data controller. A data processor processes data on behalf of the data controller. Since Brandwatch’s customers do not process personal data on Brandwatch’s behalf, Brandwatch’s customers must be data controllers under the GDPR for the Analytics Services.
Q: What is the legal basis on which Brandwatch processes personal data for its Analytics Services?
A: The primary legal basis on which Brandwatch processes personal data when performing the Analytics Services is the legitimate interests of the data controller. This legal basis requires a balancing of the legitimate interests of the data controller with the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The data that Brandwatch processes from the Analytics Services is all publicly available – and made available – by the particular social media author him or herself. Brandwatch therefore believes that the interests, fundamental rights and freedoms of data subjects are not prejudiced or overridden in the context of its processing of social media data that is (1) publicly available and (2) can be made private at anytime by the social media author him or herself. The social media authors have significant levels of control over the availability of their personal data on the underlying websites, including (e.g.) setting their Twitter account to private.
Q: Where does Brandwatch store the personal data that it processes?
A: The personal data that forms part of the Analytics database is stored on servers that Brandwatch owns and manages, hosted with colocation providers in the UK. Brandwatch policy requires the use of Tier 3 rated data centres with suitable physical and environment security. Brandwatch’s data centre providers maintain their own ISO27001 accreditation, along with other relevant physical security, environmental and quality certification. Brandwatch’s Audiences and BuzzSumo services are hosted by third party cloud providers, in Ireland and Canada respectively. Brandwatch’s Image Analysis service is hosted both within the Analytics database and by a third party provider in Ireland. The personal data in Vizia is hosted by a cloud provider in the UK.
Q: Does Brandwatch export any personal data outside of the European Economic Area?
A: Other than BuzzSumo, which is hosted on servers in Canada, none of Brandwatch’s services currently export any personal data outside of the European Economic Area. However, via the API or the export functionality of Analytics and Audiences, customers can technically export data from Brandwatch’s UK servers to non-EEA countries. This export will depend on the ultimate location of the customer device that exports the data.
Q: Are Brandwatch’s systems that process personal data secure?
A: Yes. Brandwatch has its own ISO27001 certification that covers the hosting, development and support for its applications and data, including the servers that host the personal data within Analytics and Vizia. Brandwatch has technical and organisational measures in place to protect against unauthorised or unlawful processing of data and against accidental loss, destruction or damage. Where Brandwatch uses third party cloud providers, those providers are industry-leading, including AWS and Google Cloud. In addition, Brandwatch applies its own security policy and process to the management and provision of any third party systems and services.
Q: How does Brandwatch ensure its services comply with the GDPR?
A: Brandwatch has appointed privacy champions on its engineering and product teams. These individuals are tasked with incorporating privacy by design principles when developing services for Brandwatch. Brandwatch also implements Privacy Impact Assessments, where required, in accordance with the GDPR. Finally, Brandwatch has an information security engineer and legal counsel that oversee privacy-related matters.
Q: Is Brandwatch Privacy Shield certified?
A: No. Brandwatch has taken the view that a Privacy Shield certification is unnecessary because it does not itself export any data from the European Economic Area to the US.