GDPR Compliance Summary

SAPPHIRE IS READY FOR GDPR

The European Union’s General Data Protection Regulation (GDPR) takes effect on May 25, 2018 and represents a new legal regime for protecting personal data.

GDPR sets out a regulatory framework governing the collection, use, storage and destruction of personal data of European Union (EU) residents and applies to entities outside the EU that process the personal data of EU residents.


7SIGNAL ADDS NO NEW RISK

We’ve determined that our system contains the following pieces of what GDPR considers to be Personal Identifiable Information (PID):

  • MAC addresses
  • Location
  • Timestamp

As a result, 7SIGNAL is making changes to its system and processes to ensure compliance with the regulations by the May 25, 2018 deadline.  Depending on the deployment type, 7SIGNAL customers are either a ‘controller’ or ‘processor’ or both, according to the GDPR. Each have specific requirements they/we must fulfill.


SAPPHIRE PRODUCT CHANGES

Our product changes enable customers to comply with GDPR however, it is not possible for us to automate all aspects of compliance. While our default configurations and compliance modes are a key part of enabling customer compliance, additional requirements apply to you. Since GDPR applies to the usage and storage of personally identifiable data. In many cases EU PID must only be stored in and accessed only from an EU country.

For example, assume a company deploys a Sapphire server to a US datacenter and has Eyes deployed to an EU location. Unless they are certified under Privacy Shield they will be in violation of GDPR. Thus, if you wish to see end-user performance directly, which requires collection of mac addresses from EU locations, then you must either store and access that information in an EU country or be certified under Privacy Shield. Regardless, we’ve got you covered.

Please refer to the Internet Commissioners Office (ICO) Guide to the General Data Protection Regulation (GDPR) for more information. For more guidance from the IOC on Wi-Fi refer to their Data Protection Wi-Fi analytics guide.

New ‘Compliance Mode’

Customers with systems on their premises or in our cloud will be able to toggle on/off the collection of MAC addresses. This feature is enabled through the 7SIGNAL Configurator.

Customers who subscribe to 7SIGNAL’s cloud system in the USA can continue to measure end-user client device performance in non-EU locations.

Customers who subscribe to 7SIGNAL’s cloud system in the USA will be unable to measure end-user client device performance in EU locations (as it requires client mac addresses).

Customers deployed to the EU may choose to measure their end-user client’s performance (and collect their mac addresses).

Remember that accessing EU end-user mac address information from a computer outside of the EU qualifies as “transfer of personal data” outside of the EU, even when it is stored in the EU. Use appropriate operational controls to avoid this situation. It is impractical for us to reliably automate this restriction.

Consent – Opting In or Out

7SIGNAL customers operating Sapphire Eyes in GDPR compliant locations should notify people who might have their information recorded by publishing a message such as:

To provide good Wi-Fi user experience <customer name> continuously measures the performance of Wi-Fi enabled devices such as laptops and smartphones. As a result, each device’s unique identifier or “mac address” may be captured along with the time and location it was seen. To view, delete, or have your device excluded please contact <contact info.>

Based on your situation, this information might be posted on bulletin boards, sent via email, included in your Wi-Fi captive portal page content or all of the above.

Any individual may request:

  • To view the information about their device that has been collected
  • That their MAC addresses be removed from the system and blocked from future collection from all monitored locations (including outside of the EU).

Use the updated Sapphire user interface to satisfy these requests.


CLOUD vs. ON-PREMISE CUSTOMERS

Within the GDPR;

  • A controller determines the purposes and means of processing personal data
  • A processor is responsible for processing personal data on behalf of a controller

An On-Premise customer who deploys 7SIGNAL servers onsite within their own datacenter is operating as both controller and processor. A Cloud customer is operating as the controller and 7SIGNAL is the processor. When an On-Premise customer deploys 7SIGNAL servers via a 3rd party provider e.g. Rackspace, the customer is the controller and the hosting service is the processor. 7SIGNAL provides a capability to On-Premise customers but is neither the controller or processor.

7SIGNAL and our processor locations have the appropriate IT Controls in place to comply with GDPR. We deploy customers who access EU location PID in our EU datacenter.

On-premise customer should be sure to validate that their partners comply with GDPR’s requirements.


7SIGNAL CLOUD PROCESS CHANGES

As required by the GDPR, 7SIGNAL has designated a Data Protection Officer who is responsible for managing and reporting any breaches in security to the EU Commissioner’s Office.

7SIGNAL will comply with the 72-hour notification rule, as outlined by the GDPR.


MOBILE EYE

We’ve determined that our system contains the following pieces of what GDPR considers to be Personal Identifiable Information (PID):

  • MAC addresses
  • Location
  • Timestamp

7SIGNAL is actively working on developing the aforementioned product changes for Mobile Eye. They will not be completed by the May 25, 2018 deadline and as a result, Mobile Eye is no longer available for sale in the EU until such time as the product changes have been completed. In addition, to ensure our compliance with GDPR, beginning May 1st 7SIGNAL will no longer accept Mobile Eye device data originating from the EU.

We will also discontinue consumer initiated downloads of Mobile Eye from the Apple App Store and Google Play. However, 7SIGNAL will retain the ability for enterprises to download it. We estimate the product changes to be complete in Q4 of 2018 and will reactivate Mobile Eye at that time.