CompeteIQ’s GDPR Readiness and Compliance Statement

Introduction
The European Union has taken a monumental step in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will be effective from May 25, 2018. Simply put, EU residents will now have greater say over what, how, why, where, and when their personal data is used, processed, or disposed. This rule clarifies how the EU personal data laws apply even beyond the borders of the EU. Any organization that works with EU residents’ personal data in any manner, irrespective of location, has obligations to protect the data. CompeteIQ is well aware of its role in providing the right tools and processes to support its users and customers meet their GDPR mandates.

CompeteIQ’s Commitment
At CompeteIQ, we have always honored our users’ right to data privacy and protection. We have never relied on advertising as a revenue stream. We have never served ads to our users, and never will.

This means that we have no necessity to collect and process users’ personal information beyond what is required for the functioning of our products.
We already have strong Secure Coding and Data Protection processes and procedures in place, and we are revising them to meet the requirements of the GDPR. We recognize that the GDPR will help us move towards the highest standards of operations in protecting customer data.

How is CompeteIQ preparing for GDPR?
CompeteIQ has two main sets of data: Marketing-data and System-data.

Definition: System-data
System-data is data only used by the CompeteIQ enterprise application to provide service directly to our enterprise customers. This data is never used in marketing systems, and never will be. This data is protected when stored locally (which is rarely) via strong encryption techniques. System-data is not Personally Identifiable Information (PII)/Personal data as it is provided to us directly by our enterprise clients and governed by their policies and procedures. We only use it as outlined via our contractual agreements with the enterprises we serve.

In this regard, we are a data-processor under GDPR and recognize the new requirements for data-processors under GDPR.

Definition: Marketing-data
Marketing-data is collected strictly on an explicit consent (opt-in) basis via the CompeteIQ website or other marketing events, such as a trade show. CompeteIQ would never spam our customers or contacts nor would we ever share that information with another business. We do not sell or profit from customer data.
This data is only lawfully obtained via explicit consent (opt-in) methods on our website. We do not collect passive Personally Identifiable Information (PII)/Personal data.

CompeteIQ policy as a data-controller.
Limited exposure: CompeteIQ marketing-data is intentionally limited to a small set of Personally Identifiable Information (PII)/Personal data that does not include sensitive information such as financial information, or other types of personal information.
Participation in GDPR audits & reviews: CompeteIQ is available for any GDPR reviews requested by our clients per request.

We have thoroughly analyzed GDPR requirements and have put in place a dedicated internal team to drive our organization to meet them. Some of our ongoing initiatives are:

Identifying personal data – CompeteIQ has identified and mapped the purview of personal data for our applications and documenting the various sources of data is the foundation for our compliance.

Providing visibility and transparency – The most important aspect of GDPR is how the collected data is used. As a data processor, CompeteIQ’s key role is to provide our customers (the data controllers) with the access to effectively manage and protect their user data. This is achieved via system-data connectivity to our client’s Identity Access Management Systems. We only utilize data provided in accordance with our contractual agreements to provide service to our clients. We limit our data storage to only that data only required to achieve that end.

Enhancing data integrity and security – Data privacy and data security are two sides of the same coin. As our customers tighten their data security measures, we’re streamlining the processes for our cloud applications by implementing IT policies and procedures that provide end-to-end security.

Portability and transferability of data – GDPR gives end users the right to either receive all the data provided and processed by the controller or transfer it to another controller depending on technical feasibility. CompeteIQ enables data exporting capabilities to enable export even at the individual level.

GDPR Compliance of third-party systems
CompeteIQ uses third-party marketing systems whose GDPR compliance statements are available upon request.