On May 25, 2018, the European Union will enact sweeping personal data and privacy reforms, called the General Data Protection Regulation (GDPR), that impacts nearly every user of the internet, no matter where they are located. Turbine Labs believes GDPR will have a positive impact on the services consumers, businesses and organizations use to share information and over time will improve trust between companies that build data-related platforms and consumers whose data is used within them.
Turbine Labs is committed to protecting the privacy and personal data of our customers and users, and in achieving full compliance with these newly enacted regulations. This FAQ was built for our customers to understand how we’re approaching GDPR, and for the general public to understand how data associated with their public, online presence is collected and used in services such as those that Turbine Labs offers.
Q: Does GDPR apply to Turbine Labs?
A: The GDPR applies to any business that processes personal data, which is defined as anything that identified or can be used to identify a person. For Turbine Labs, personally identifiable data consists of the named, verified accounts whose public conversation data we collect and analyze for use in our products.
Q: What is the difference between a data processor and a data controller?
A: The common is example is that of an email service. When a business uses a platform to send an email (think Mailchimp, SendGrid, Constant Contact), the email service is the data processor, because it is processing data on behalf or “on the instructions” of the business. In this case, the business is the data controller. More information on the differences between a data processor and a data controller can be found here.
Q: Is Turbine Labs a data processor or data controller?
A: Turbine Labs ingests and collects data through a number of 3rd party sources and platforms, as well as via public websites through in-house website crawlers. We’ve ensured or are currently validating that all 3rd-party data sources and platforms are GDPR compliant or in the process of becoming GDPR compliant. Additionally, our in-house crawlers collect data from a broad range of online sources. Because decisions on which data is collected begin before the customer request, and not “on the instructions” of our customers, we consider ourselves data controllers.
Q: If Turbine Labs is a data controller, what are its customers?
A: Turbine Labs customers will also be classified as data controllers under the GDPR. This is because our customers do not process the data on behalf of another data controller – our customer is the endpoint for any data included in the output of a Turbine Labs services.
Q: Where does Turbine Labs store its data?
A: Turbine Labs stores all of its data in GDPR-compliant third-party cloud storage and machine processing providers in the United States. All data is stored, processed and enriched in the United States. All output is distributed from email service (ESPs) or other platform as a service (PaaS) providers based in the United States.
Q: Are there instances when public data may not be in compliance with the GDPR?
Yes, in certain instances, public data collected by Turbine that was once GDPR compliant may fall out of compliance at a later date. For example, a verified user of the Twitter social media platform publishes a tweet, which is collected by the Turbine platform via the Twitter API. At a later date, the user may delete the tweet from their feed, but text or enrichments associated with the original tweet remain on our servers. At the point a tweet is deleted by the verified user of Twitter and remains on Turbine Labs’ servers, any personally identifiable information remaining on our servers would be out of compliance with GDPR. To resolve this issue and ensure Turbine Labs remains in compliance, the company is in the process of building tools that periodically scan our databases and remove content that was at one point public, but is no longer.
Q: There’s so much conversation about GDPR… where can I go to find more clarity?
A: The EU GDPR Information Portal is the most reliable source to find answers on GDPR. But if you have any further questions on GDPR in respect to Turbine Labs, please email info (at) turbinelabs (dot) com and we’ll reply to you within two business days.