A few Bubble users have reached out to us with questions about GDPR, which is the upcoming privacy and data protection legislation that is coming into effect in the European Union in May. We’ve been doing extensive work related to this, and want to give a brief, interim update on what Bubble is doing to be compliant and help our users be compliant with the new regulations.
GDPR, or the General Data Protection Regulation, is a data protection regime adopted by the European Commission intended to strengthen data protection and security for personal data in the EU. It will go into effect on May 25, 2018.
To start, we take privacy extremely seriously, and achieving compliance with GDPR is a priority for Bubble. GDPR is a complicated framework that marks a big change in how a lot of online companies process and store data. Over the past few months, Bubble has been working closely with our attorneys to ensure we comply with GDPR. Although GDPR only governs how data about people residing in EU member states is used and processed, we are taking this as an opportunity to review our data privacy regime for the entire Bubble platform.
The first step we are taking is participating in EU-US Privacy Shield Framework, which was designed by the US Department of Commerce and the European Commission to provide companies with a data protection compliance mechanism when transferring data to the US from the EU. The Privacy Shield sets a standard for data protection for all of our users and is enforceable and subject to investigation by US authorities.
Bubble’s certification as a Shield participant has two benefits:
Shield aims to enable the compliant transfer of personal data from data controllers in the EU to data controllers (or processors) in the US. It’s a mechanism used by such companies as AWS and Google to transfer EU data to the US.
Shield certification requires thorough review of our data processes, which we are using as an opportunity to confirm that they are GDPR compliant.
We’ve finished an internal audit of Shield compliance and found that our current data management processes are largely in line with the framework’s requirements. However, one key component of official Shield certification is ensuring that all third party vendors we use to help us process data are also compliant. We are currently in the process of working through this with our vendors. Because this is an ongoing conversation, we will update the community when we have a concrete deadline for Shield certification.