Stream and GDPR

Scott L.
Scott L.
Published April 20, 2018 Updated February 15, 2021

As an organization who has customers located within the European Union (EU), the General Data Protection Regulation (GDPR) is an important topic for us here at Stream. The GDPR is a regulation by which the European government has intended to strengthen and unify data protection for all individuals within the EU (source). Companies must be able to show compliance by May 25, 2018. Failure to comply could mean a €20 million fine or 4% of your organization’s global turnover, whichever is greater.

What it is:

  • Access control – access to personal data must be restricted to people and machines that need to use the data.
  • Historical data – you must have the ability to delete personal data and let users download their provided personal data.
  • Access control – access to personal data must be restricted to people and machines that need to use the data.
  • Encryption – personal data should be secured through encryption so it can’t be seen.
  • Store and process – you must have a valid reason for storing and processing personal data.
  • Audit and logging – all access to personal data must be logged.

What Stream has done:

  • Access control – all access is restricted to the minimal set of employees that maintain those systems.
  • Historical data – our API currently allows customers to read all of a user’s data from their feed (which they can then provide to their end users) as well as delete it.
  • Encryption – all API communication with Stream is encrypted, as well as backups.
  • Store and process – Stream only stores the data that our customers put into the activities they send to us. Stream may use this data in personalization of feed content if our customer requests it.
  • Audit and logging – all access to stored data is logged.

What you should do:

The GDPR defines personal data to include name, passport number, and birthdate as well as information that some may not consider to be personally identifiable information (PII) like IP addresses or device IDs. Personal data can even include data about an individual that has been hashed or encrypted. We still recommend our customers do not send us any PII if possible.
Our standard terms and privacy policy have been updated to account for GDPR:

For a comprehensive list of what GDPR considers personal data, please read Article 4(1) of the GDPR

Note: the information provided this blog is strictly for informational purposes. We recommend that if you have any questions, or think the GDPR laws may impact your company, that you contact a lawyer.