If you operate a company in Europe or deal with data from people in Europe, no doubt you’re aware of the upcoming General Data Protection Regulation (GDPR) legislation.
This post is the first in a series of posts about how we’re handling GDPR. We invite you to read the series, ask questions, and give us feedback along the way.
In April of 2016, the European Council changed the legal landscape for handling data. The initial draft of GDPR was finalized and a formal launch date of May 25th, 2018 was set in stone. As a Data Processor, we take the upcoming changes seriously (and so should you). Let’s dive into the details.
First, let’s lay out some quick terminology:
- If you’re a client of Mouseflow (someone who uses our product on their websites), you’re a Data Controller. This is because you, at the end of the day, are responsible for and in charge of what kind of information is tracked, saved, stored, or shared about your business.
- If you’re someone who has been tracked by Mouseflow, you’re a Data Subject. This is because the data is, well, about you.
- Finally, if you’re Mouseflow (a software vendor providing the tool and processing data for others), you’re a Data Processor.
Now that we have that out of the way, let’s discuss what it means…
As a Data Processor, we take new rules and regulations very seriously. When we first heard about GDPR, we set up a company-wide meeting to talk about it. We read the entire legal text together, marked it up with highlights and notes, and discussed its impact with the team. We sent employees to training sessions (the U.S. Department of Commerce has one), spoke with other SaaS companies, appointed a Data Protection Officer (DPO), and asked our clients how they felt about it. We decided it’s best to jump in feet first — making sure nothing is left to chance.
Outside Mouseflow, we noticed a pattern: almost no-one understands GDPR. And, that’s a shame! The text is simple and spells it out. If you’re a Data Processor (like us), it’s not a choice to “not understand” GDPR. Luckily, I’m pleased to share that we’re on top of it.
First, let’s talk about the elephant in the room: Mouseflow is a session replay tool that tracks user behavior on a website. We want to make sure our product is ready for GDPR — both for our clients (Data Controllers) and the visitors they wish to track (Data Subjects). We think we have some pretty good solutions for both.
To start, we just launched a dedicated GDPR page on our website. You can access it anytime at https://mouseflow.com/gdpr. This is a living document and reveals what we’re doing as an organization from top-to-bottom. If you’re a Data Controller or Data Subject, there’s a wealth of information there available to you. And, we’ll be adding more information in the coming weeks and months.
We’re also making several platform and technical changes, many which may impact the data you collect (in a good way). Our goal is to have GDPR-ready features baked into our product, so it isn’t such a scary thing. You’ll see and hear a lot more on this topic in the next few posts.
I’m pleased to tell you that we’ve prioritized our development efforts from now until the end of the year to complete the tasks listed on our GDPR page, so every Mouseflow client will be closer to compliance before the deadline.
In case you haven’t seen it, there may be some steps you need to take (like excluding personal data from being tracked) in order to comply with the new legislation and satisfy Mouseflow’s Terms of Service, so check it out, let us know your thoughts, and contact us at firstname.lastname@example.org if you have any comments or questions.