How can I ensure I’m compliant with the General Data Protection Regulation (GDPR) while using The Sift Digital Trust Platform?
Your legal and compliance teams are the only ones who can ensure compliance. Here are some things that you can share with them:
- If your company receives a rights request, you can contact us to process that request by contacting email@example.com.
- Legitimate interest is one of the ways companies can process personal data under GDPR. Fraud prevention is one of the defined legitimate interests (see Recital 47), which is what enables Sift to process personal data within its fraud prevention products.
- If requested, we are able to execute a Data Protection Addendum (DPA) with you. Please contact firstname.lastname@example.org or your contact at Sift to put one in place.
- Sift is Privacy Shield certified, which enables our customers to transfer data in a compliant manner from the EU/EEA to Sift. More information is available at https://sift.com/security-privacy.
- GDPR reminds companies to be transparent about how they use and process customer information. As a result, you should make sure you adequately disclose your use of a third-party fraud prevention vendor to protect your website.
How does GDPR impact my use of Sift?
There are three ways in which you may notice GDPR affecting your experience:
- When searching in the console for an end user who has been removed due to a successful Rights Request, you will see a message that says This user has been deleted for compliance reasons.
- When searching in the console for an Order ID or Email Address connected to an end user who has exercised a rights request, your search will return no result.
- When an API request is sent for end users that have submitted a successful Right to Object request, Sift will respond with HTTP error code 451. More info on this below.
For GDPR, we have updated our data retention policies. In doing so, we have evaluated the accuracy of our service and do not believe these changes will materially impact our ability to prevent fraud in our service.
What should I do if my customer contacts me with a Rights Request?
If you would like to submit a Rights request to our Privacy Team, contact email@example.com with that request. Please note that you are responsible for verifying the identity of the data subject (i.e. the end user) before submitting the request to Sift.
Can my customers contact Sift directly to process a rights request?
Yes, Sift data subjects (i.e. your customers) can email firstname.lastname@example.org to have these requests processed.
What a 451 error?
When an API request is sent for an end user that submitted a successful Right to Object request, Sift will respond with a 4XX class HTTP error. The specific HTTP error code will be 451. Because it’s a 4XX class error, developers should not retry the request.
Here’s an example of what the response from Sift will look like:
"error_message": "Unavailable For Legal Reasons: End User Has Opted Out of Data Processing",
If you are interested in our legal whitepaper on GDPR, please email email@example.com. Otherwise, please visit: https://sift.com/security-privacy.