IDX™ is committed to the General Data Protection Regulation and protecting Personally Identifiable Information. In addition to the GDPR compliance, our policies and procedures follow the rigorous controls set out in ISO 27001:2013.
We have adopted and applied GDPR Principles within our organization and we are also accredited to ‘Bureau Veritas - Technical standard related to personal data protection in compliance with the regulation (EU) 2016/679 – GDPR’.
We respect the rights of Data Subjects and we have set up internal processes around Data Privacy and Protection objectives that include (but not limited to) Data Breach procedures, Data Erasure requests and Right to Information procedures.
What is GDPR?
The EU implemented the General Data Protection Regulation (GDPR) in May 2018, which affects how companies collect, process and store consumer data.
Does this apply to me?
The current EU legislation governs entities within the EU, but it also applies to non-EU businesses who market to people in the EU or monitor their behavior. So, even if you’re based elsewhere, if you control or process the data of EU citizens, the GDPR applies to you.
GDPR Key Terms
Data Subject - GDPR defines data subjects as identified or identifiable natural person[s]. In other words, data subjects are just people from whom or about whom you collect information in connection with your business and its operations.
Data Controller - The GDPR definition of a controller is the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor - Those entities that process personal data on behalf of data controllers, and as directed by data controllers, are considered data processors.
Consent - The GDPR steps up the standard for disclosures when obtaining consent, as it needs to be freely given, specific, informed and unambiguous, with controllers using clear and plain legal language that is clearly distinguishable from other matters.
Top FAQs
How does IDX™ approach Data Privacy and Protection?
IDX™ has always held ourselves accountable to the strongest of governance models to ensure data privacy and protection for our clients. We work with reputed third-party audit firms for the compliance and certification of our data handling, and storing procedures in line with industry best practices.
What is IDX™'s posture on GDPR Compliance?
IDX™ has voluntarily submitted to a 3rd party audit of our GDPR controls. While this is not required by governing bodies, we have chosen this path to ensure that we have the best possible in planning in place for our clients. As part of this audit, a leading international compliance and certification agency ‘Bureau Veritas’ has certified IDX™ for our demonstrated ability to process and secure the personal data in accordance with the GDPR regulation.
This combined with IDX™'s ISO 27001 (ISMS) credentials and robust & matured security processes that are modelled after SSAE16 SOC-1/2 make IDX™ an ideal choice for clients who are very sensitive towards PII processing and the storing of sensitive data.
Is my company data protected when I work with IDX™?
Your data is completely secured with IDX™.
We are certified for ISO 27001:2013, ISO 9001:2015 and Bureau Veritas’ technical standard for personal data protection. Security is at the center of everything we do. Our security processes and policies are inspired by industry best practices for information security and data protection. Our dedicated Information Security team ensures our controls can defend against the latest cyber threats.
How the client data transactions are covered contractually?
IDX™ has a standard procedure in place that requires a DPA – Data Processing Addendum/Agreement - in place for every client relationship where personal data is involved. IDX™'s dedicated GDPR Compliance team works with the client's compliance team to ensure the proper documentation is in place before the data processing activities commence.
If IDX™'s products and services are compliant to the GDPR requirements, do I still need to think about how my website with IDX™ can be compliant?
Yes. IDX™'s hosting platforms, other products and services have been enhanced to ensure the protection of the personal data however as a website owner and Data Controller, you still need to think about ensuring the website is compliant. This means ensuring the website has a well-drafted privacy policy, cookie policy, cookie notice including controls that allow users to disable optional cookies amongst the other components. Note that IDX™ does not create privacy and cookie policy on our client’s behalf. Our role as a data processor means the policy must come through our client (the data controller) and we must be held accountable to those requirements.
Clients should work with their IDX™ contact to ensure that GDPR compliant policies exist on their website and that they have a data protection agreement in place for any subcontractors that collect data on their website.
What is the Cookie law?
The Cookie Law is a privacy legislation that provides directions on how a website must use Cookies - including transparently providing information about cookies and giving users a real choice to allow cookies or not. Historically, the “cookie law” of 2011, required ‘consent’ to drop any ‘non-essential’ cookies regardless of whether personal data was collected or not. The concept of “non-essential” cookies is not a new one. The ICO’s 2012 guidance on cookies said implied consent (i.e. an opt-out rather than an opt-in) was permitted; “Implied consent has always been a reasonable proposition in the context of data protection law and privacy regulation and it remains so in the context of storage of information or access to information using cookies and similar devices.”
The Cookie Law was introduced as an EU Directive which then was adopted by all EU countries including the UK. Each country updated its local laws to comply with this, for example, Privacy and Electronic Communications Regulations in the UK.
What is the new guidance from the UK's Information Commissioner's Office (ICO) on cookies?
Early July, The ICO released new guidance on the use of Cookies and Similar Technologies which provides directions on how to comply with:
- Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PECR’)
- The General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’)
The main takeaway from this new guidance is that Implied Consent is no longer acceptable. In July 2019 GDPR further refined what constitutes valid consent and the ICO’s latest guidance confirms; “There is no definition of consent given in PECR or in the ePrivacy Directive; instead, the GDPR definition of consent applies”. Users must therefore take, in the words of the Regulator; “a clear and positive action to consent to non-essential cookies” and “pre-ticked boxes or any equivalents, such as sliders defaulted to ‘on’, cannot be used for non-essential cookies”.
What impact will these changes have on a website I host with you?
Some clients already had a mechanism to obtain explicit consent at the guidance of their own legal and compliance teams. These clients will have to review the privacy policy, cookie policy and cookie control mechanism to ensure they are still in compliance with the latest guidance.
A large number of clients relied on “implied consent”. These clients will need to work with their IDX™ contacts to deploy changes to ensure they are in compliance with the latest guidance.
How will these changes affect my website analytics?
Note that a negative impact of this change is that once it is put in place, you will likely see a drop off in your website analytics package. This does not mean that visitors are not finding your website; it does mean they have elected to remain anonymous.
Am I legally required to adopt this guidance for cookies?
If you are a European company or target an EU based audience we strongly urge you to adopt this guidance and follow through on these website changes to avoid the risk of a fine from the ICO. However, you may also elect to sign a disclaimer and not have this change put in place for your website.
I am a U.S. based company. Do I need to follow these rules for a U.S. based audience?
No (although you may be affected by the CCPA in Jan 2020 and may want to get ahead of that now). Currently you do not need to block cookies by default for audiences outside the EU. This can be done by adding geo-location to your website or by hosting clones of your website in the EU and U.S.
What is required of me as an IDX™ client?
All clients must review their website cookie policies to ensure they are in line with the requirements of the PECR and GDPR. If you are using old cookie policy obtained from IDX™, you must swap this with a new policy of your own.
What is the relationship of a client with IDX™ in the GDPR context?
In the GDPR context, a client is the Data Controller (DC) and IDX™ is the Data Processor (DP).
What data does IDX™ collect and use about individuals?
IDX™ does not collect data for its own purpose. The data is collected only on the instructions of the Data Controller which is ultimately the owner of the data.
Do my website visitors have a right to be deleted?
Yes. Anyone can exercise the right to be deleted. Contact our GDPR team or your IDX™ contacts to assist you in this process.
Are individuals provided with a mechanism to change their preferences regarding the use of their personal information?
Yes. The guidelines and options to toggle the preferences are accessible through the cookie notice or cookie policy.
Can my website visitors opt-in and out of data collection?
Yes, they can. Contact your account manager to organize a call with our GDPR experts to learn more about how this is already being done on your website.
What process does IDX™ follow when an individual objects to a certain use of their data?
If an individual opts out or objects to data collection, a process is in place to remove the individual’s data from our systems. The data controllers or the client must also have their own standardized procedures for managing data sent to them by IDX™ to ensure compliance with GDPR. Users may similarly opt out through the footer provided in all IDX™ email communication.
Will data stored with IDX™ be sent out of the EU?
Only if strictly necessary for the delivery of the contracted services, information may be processed from the IDX™ offices in the US and India. In such cases, the data transfer is based on IDX™ entities entering into a data transfer agreement.
Additionally, the information transferred to a client becomes the property of the client. Any additional third-party data transfers thereon must be outlined in the client’s data handling policy and privacy policy including transfer outside EU by the client.
Where is a user’s information stored in the European Union?
All client data information captured in the European Union is stored at Amazon Web Services based in Ireland and Frankfurt.
To what extent does IDX™ share an individual’s information captured with third parties?
Data we collect on behalf of clients is shared only with that client or with sub-processors covered by Data Processing Agreements and following our privacy policy. If a data sharing agreement is in place, IDX™ closely monitors these agreements on behalf of the client. It’s important to note that IDX™ does not sell data to third parties.
Does IDX™ have a “Data Protection Officer” (DPO)?
Yes, IDX™ has a Data Protection Officer (DPO). Contact your account manager to learn more about it.
Does IDX™ have the capability to identify, investigate and deal with personal data breaches?
Yes. We have adequate controls in place to identify, protect, detect, respond to, and recover from data breaches. Once a root cause has been established, a complete history of any breach and corresponding remediation steps will be communicated to the client. Our clients will be familiar with this procedure as a similar process already exists for security risk notifications. As per the requirements of the GDPR, our data breach reporting procedures will take no longer than 48 hours and will very often be much faster.
Does IDX™ cover the cost of GDPR and PECR compliance for websites you host?
Our clients use different analytics providers and there is no way for us to ensure ongoing compliance when regulations change. Some of these vendors behave differently with some working through JavaScript and others through server-side integrations and it is not possible for us to track and manage compliance for technology working outside our platform. Examples of this include server side integration for Facebook and other advertising/marketing automation technologies. In these situations, please talk to our GDPR compliance team to learn how you can hold these subcontractors accountable for their data handling practices. IDX™'s own Connect.ID Intelligence Analytics is GDPR compliant and as the provider of that tool we do take full responsibility for Intelligence updates when regulations change.
Does this information cover the California Consumer Privacy Act?
No. The CCPA was passed into law in June of 2018 and is being described as the GDPR of the U.S. This act has strong privacy legislation and will come into full effect on January 1st 2020. IDX™ will be posting more information about complying with CCPA in the coming months.
More Information:
Should you require more detailed information, specifically on IDX™'s approach to the GDPR, please contact your Account Manager. You can also send GDPR related queries to GDPR [at] idx [dot] inc.