This article was last updated December 2018
The General Data Protection Regulation (GDPR) is a set of rules introduced in May 2018 designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy.
You might want to know how this affects your own obligations and those of the third party tools you use. After all, failure to comply could mean fines of up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher!
Here we’ll take a look at how Raygun is handling things for you to remain GDPR compliant.
What do Raygun customers need to do to be GDPR complaint?
Great question. We’ve been working hard for a long time on making this as easy as possible for our customers. You can complete the agreement (DPA) from your Plan Settings page. This can be found by clicking on the top right dropdown in the Raygun app and then clicking on your plan name.
Head to the Privacy and Compliance page, and click Review and accept beside the Data Processing Addendum (DPA) option.
Once you have reviewed and accepted the DPA, you can assign a Data Plan Protection Officer and EU Representative.
This creates the agreement between Raygun and your organization.
Behind the scenes, Raygun ensures that we reduce our Personally Identifiable Information (PII) footprint. Customers can still opt-in to sending PII data, but backend systems have all been hardened to reduce the reliance on that data.
Beyond this, we’ve also added some filters. This allows you do things like opt out of IP address storage. While not required, we know our customers have different needs.
Raygun’s position on GDPR
GDPR is a positive step forward for consumer privacy and control of their data. A lot of what is required, Raygun already did, so it won’t be changing our day to day operating approach.
How to opt out of sending PII related data to Raygun
You can opt out of sending PII related data to your application from your Application Settings page. You can navigate to this page by clicking on Application settings link in the sidebar of you Raygun app.
The User Information section allows you to:
- Disable IP address storage
- Disable geo-location lookups
- Disable fetching extra details for affected users
How to delete a single error instance
In some situations, you may want to delete an error instance (not just a group). To do this, open the error group which contains the error instance you need to delete. Raygun will give you a list of instances to delete.
Deleting error instances cannot be undone and won’t affect your data quota.
What is the best practice to prevent sensitive data from being sent into Raygun?
You are in complete control of the data you choose to send to Raygun. Raygun allows you to remove sensitive information on the client side before the data is sent to us.
However, should error and session details contain data you do not wish to be processed, Raygun also allows you to remove user and crash data.
Handling user data deletion requests inside Raygun
To help you with GDPR compliance, Raygun exposes the controls that allow you to:
- Find a user’s data
- Export the user’s data
- Delete the user’s data
You will not need to rely on a Raygun team member to do this for you. It’s all built right into the Raygun app.
Of course, we love talking with our customers, so if you have any issues here, please contact us and we’ll be glad to help.
How long does it take to ensure the data is deleted?
Raygun stores a lot of data for customers. A single customer could easily account for hundreds of gigabytes of data. Due to this, deletes can take some time to process. When a delete is triggered, a background process starts removing the data associated with that user. It can take time, but you should be thinking in minutes or hours, not days or weeks.
How do I know that when a deletion action is taken, that data is definitely not kept inside Raygun?
Firstly, all activity in Raygun is audited. So in the audit log you’ll be able to see that a deletion was made. As GDPR is partly about the right to be forgotten, we do not audit log ‘who’ was deleted, but the user who requested that a deletion occur (classic catch 22!).
Secondly, the GDPR creates a binding agreement between our organization and yours. Under this agreement, we are liable if we were not to undertake this action as requested.
I’m not an EU resident and my company is based outside of EU, so why is Raygun telling me about GDPR?
If you have further questions please do not hesitate to contact us.