GDPR Fact Sheet for Audience Finder & Show Stats Users

This document is most relevant to data controllers, for whom The Audience Agency act as a data processor in order to provide Audience Finder “Ticketing Data Dashboards” and services. In general, this is not relevant to “Survey Dashboard” users or “Show Stats” users, since there is no processing of personal data in these instances.
Please note that the specific contractual terms are set out in your Data Use & Confidentiality Agreements. This fact sheet is for background information purposes only.

The Legislation
Is The Audience Agency allowed to process data under GDPR?

The particular legitimising conditions for processing of data in Audience Finder will not alter under GDPR – to provide the Audience Finder services that are based on ticketing data, The Audience Agency acts as a data processor on behalf of participating organisations. The conditions for processing data in Audience Finder are the legitimate interests of the data controlling organisations. The data outputs are all fully anonymised, and no personal information is used for direct contact with any individual or household. All the details setting the position out are contained in our Data Use and Confidentiality Agreements that are in place with Audience Finder participating organisations to make sure that these particulars are fully compliant with the new requirements under GDPR.

The customer details are only extracted relating to bookers that are associated with a booking of a performance. Once the data is transferred to our staging warehouse via secure HTTPS, it is re-formatted and standardised. During this process the customer details are assigned a unique household reference number for reporting. Their address details are not displayed or used in any of the reporting (we use the household reference number from this point onwards) and their details are never shared with other parties. All of our data is securely stored and encrypted so that only we can unencrypt it.

Process and Personnel
Who is The Audience Agency’s Data Protection Officer?

Leo Sharrock, Director of Data Platforms is the person responsible for fulfilling the role of Data Protection Officer for The Audience Agency.

Do you have a GDPR compliance policy and road map?

The Audience Agency have updated our Privacy Notice with due diligence in regard to GDPR, to detail how The Audience Agency manage personal information in Audience Finder in compliance with the regulations.

The Audience Agemcy have also conducted a personal information audit and privacy impact assessment with due diligence in regard to GDPR.

As a result of these exercises we have already implemented all necessary measures both technical and procedural relating to data minimisation, data retention, data security; and processes, policies and documentation to further strengthen our compliance with the regulations.

We are confident that our present practices are fully compliant with the regulations, and our newly updated Data Use and Confidentiality Agreement reflects and describes the compliance clarifications required under GDPR.

The Audience Agency has an organisational Data Management Policy which sets out:

  1. the fair and lawful basis upon which we process personal data;
  2. the purposes for which we process personal information;
  3. steps taken to ensure data relevance, minimisation, and accuracy;
  4. our data retention policy;
  5. security measures taken to protect personal information;
  6. organisational policies for how subjects' rights are exercised.

However, this document contains business sensitive information and will not be shared externally.

Where is your data physically stored (locations including countries)?

Inside the EU, on Amazon's AWS servers in the Republic of Ireland.

Who has access to your data storage facilities?

Neither The Audience Agency, nor its partners/suppliers have physical access to Amazon's AWS servers. Remote access is only accessible by authorised The Audience Agency personnel, and by our partners/suppliers (Baker Richards Consulting and JCA) with access restricted by both policy and technological security measures. Access to The Audience Agency's network (which is also located in the EU) is similarly protected by policy and technological security measures.

Data Sharing
What third parties, (including any of your group companies or any third party supplier) do you work with that may also have access to the personal data we share with you?

In order to deliver the Audience Finder service, The Audience Agency works with Baker Richards Consulting Limited and Jacobson Consulting Applications (JCA), who provide and maintain the technical infrastructure for extracting the ticketing data which drives the Audience Finder service, and therefore have access to the data we process, solely for the purpose of maintaining and supporting the service. The Audience Agency enters into an agreement with anybody who provides a service to it to ensure that they meet its standards for data security, and all obligations under the relevant data protection regulations. The Audience Agency will not use the personal information in Audience Finder for anything other than the clearly defined purpose of supporting and maintaining the delivery of the Audience Finder service.

Do you use subcontractors to process personal data on behalf of me or my organisation?

Not beyond the purpose of providing and maintaining the technical infrastructure for extracting the ticketing data which drives the Audience Finder service, as detailed in question 5.

Will you store or transfer any personal data supplied by me/my organisation for the purposes of processing, to a country outside the European Economic Area (EEA)?

No, data will not be stored or transferred outside the EU.

Will you disclose, share or allow access to any personal data supplied by me/my organisation for the purposes of processing, to or from locations outside of the European Economic Area?

One of The Audience Agency's technical service providers, Jacobson Consulting Applications (JCA), is based in the United States of America and, for the purposes of providing and maintaining the Audience Finder infrastructure, is able to access the personal information on the servers in the EU that is processed for Audience Finder. Any processing activity involving Jacobson Consulting Applications is carried out securely in accordance with the EU-US Privacy Shield which the EU has confirmed provides an adequate level of protection for personal data.

More information on the EU-US Privacy Shield’s certification is here: www.privacyshield.gov.

Do you use subcontractors for any other purpose, e.g. data backups, involving personal data?

No.

Personal Data
Is personal data systematically destroyed, erased, or anonymised when it is either no longer legally required to be retained or is no longer needed to fulfil the purpose(s) for which it was collected/processed?

Yes. Personal data is used in Audience Finder to match to pseudonymised keys, which are then used for analysis and delivery of fully anonymised reporting. Personal information is then automatically deleted after pseudonymisation. Of the data extracted at source from ticketing systems, we retain only the customer unique reference number and the postcode for the purpose of delivering fully anonymised reporting and analysis metrics in the Audience Finder service.

For how long do you store data about our customers?

Personal information in the form of names and addresses is stored only for the period of time between data extractions - in the case of most organisations this as at most one week. Postcodes, source ticketing system customer unique reference numbers and pseudonymised keys are stored for the life of the Audience Finder service.

How does your organisation handle instances when individuals request that their personal data be removed from your system(s)?

The Audience Agency acts as a data processor on behalf of the data controller. It will be for the data controller to decide whether a data subject's request for deletion will be accepted. In such instances where this is the case, the data controller will need to notify The Audience Agency when the redaction from their systems was enacted and which customer unique reference number this was in relation to. Then, The Audience Agency will fully anonymise the customer unique reference number and the postcode will be deleted. Name and address will automatically have been deleted post pseudonymisation.

How will you respond to requests from data controllers for assistance in fulfilling data Subject Access Requests?

In such instances as Subject Access Requests, The Audience Agency advise that the data controller notify their customers (data subjects) that a limited subset of their data is passed to The Audience Agency for the purpose of providing audience analytics, and that the maximum that The Audience Agency retain is the customer's postcode and audience reference number - there should be no need for The Audience Agency to provide the information held by The Audience Agency about the audience member to the data controller, as data held by The Audience Agency will simply comprise a duplicate copy of the subset of data received from the data controller. However, if an individual still wishes to see the duplicate subset held by The Audience Agency then, upon the instruction of the data controller, The Audience Agency will provide the controller with a full copy of the information held on the audience member by The Audience Agency for disclosure to the data subject, save that The Audience Agency can only supply information relating directly to that individual, and not relating to any further individuals in the household, without their express consent.

To facilitate this, the data controller will need to supply The Audience Agency with the relevant customer unique reference number(s), and The Audience Agency will be able to provide a copy of all the transactional data linked to the respective numbers - which will be a copy of a subset of the transactional ticketing data that the data controller will provide to the data subject themselves directly.

Is your security team able to discover and identify personal data, even when not stored together with other identifiers?

Not to an individual level. It would theoretically be possible to reverse engineer a pseudonymised booker key against the household directory which we use to derive these (however, both of these are protected by encryption at rest) - but all that this would yield would be the household address, (not the person) linked to the transaction history. There is no other contact detail, or sensitive information linked.

Technical and organisational measures and policies
What are your data protection policies for customer data?

These are detailed in our Audience Finder Privacy Notice.

What testing and audits do your systems undergo?

Our Audience Finder data warehouse is stored on Amazon's AWS servers. Amazon AWS maintain robust compliance with all applicable protocols, industry security standards and regulations. Data controllers might be particularly interested in the information given here about how Amazon's AWS specifically comply with all requirements under GDPR. The Audience Agency's own network infrastructure is stored hosted in UK data centres, on Microsoft's Office 365 servers and Microsoft Azure platform, which again maintains robust compliance with all applicable protocols, industry security standards and regulations as described here.

What technical and organisational measures you have implemented to integrate data protection into your processing activities?

We have conducted a personal information audit to understand and document what personal information is processed by The Audience Agency, where it is stored and who it is accessible to. We have then reviewed what purposes we need to process personal information for and that the legal conditions for such processing are in place. Following which The Audience Agency have rationalised our practices and developed our technical infrastructure to ensure that:

(a) no personal information that is excessive to those purposes is processed;

(b) that technical, procedural and policy measures are in place protect access to, and the security of, all personal information both in transit and at rest (including but not limited to: enhancing network access security measures, the enhanced restriction through two factor authentication to authorised personnel only; the encryption of data in transit; the encryption of data in storage; the encryption of desktop and mobile devices; rationalisation of data warehouse connection methods; ensuring all operating systems and software are running on the latest release versions, with up to date security and update patching applied; additional policy measures to safeguard against the use of any insecure transfer or processing services or software);

(c) technical developments have been implemented to ensure that no personal information is retained for longer than necessary to achieve the stated purposes, or any further processed in a way which is incompatible with the original purposes for processing;

(d) that we have a publicly accessible and transparent Privacy Notice which details how and why we process personal information, and how data subjects can exercise their rights under the regulation to be informed as to how their information is processed and how to exercise their rights to data access, correction, or deletion, and how to object or complain to The Audience Agency or the Information Commissioner's Office;

(e) has reviewed the agreements that we have with data controllers on whose behalf we process data to ensure that proper consideration and articulation of the obligations required under GDPR are included;

(f) that The Audience Agency has a documented policy and means of evidencing and reviewing compliance with all its obligations under the regulations.

Security Protocol
Do we have a dedicated privacy and security team?

Yes - our Director of Data Platforms and Chief Operating Officer lead on our work with our IT services providers who are certified Microsoft Partners, and our suppliers, Baker Richards Consulting and JCA to integrate data protection and security by design in our practices.

What is your security strategy and how is it prioritised?

Our priorities are focussed on securing all personal data and confidential information according to the level of sensitivity and risk. All personal information that we process is subject to rigorous procedural policies and technological security measures to ensure your personal information is fully protected.

What are your security policies?

We have an organisational data management policy which is an internal document and will not be shared externally. However, this addresses measures and policies which govern the scope and purpose of the data that we process, restriction of access to necessary authorised personnel, the training of those personnel in the safe and compliant processing of data, technical and procedural measures in place to secure data, agreements with the data controlling clients on whose behalf we process personal information, and agreements with our partners and suppliers who may act as sub-processors. The Audience Agency are also working towards the Government backed Cyber Essentials Certification scheme with our Microsoft Certified IT providers.

How do you ensure that the people authorised to process the personal data are committed to confidentiality?

We train our own staff, and have organisational policies in place, and we have duty of confidence clauses in our contracts with all our partners and suppliers.

Security Violations and Data Breaches
What is your formal procedure for reporting on data breaches?

The Audience Agency will undertake all means to understand the precise nature of the breach, and will contact the Information Commissioner's Office (ICO) and our technical suppliers within 72 hours of the detection of a breach, to discuss the breach and establish whether it is deemed reportable. The impact on data subjects of a breach of The Audience Agency's data warehouse is likely to be low, because the only personal information that we extract is postal address, which is then deleted after pseudonymisation, linked to the customer unique reference key and transactional ticketing history, which only the data controller can reverse engineer, and these fields are encrypted. Nonetheless, we would take advice from the ICO as to whether data subjects should be notified considering the precise nature of the breach. We would then immediately convey this information and advice to data controllers accordingly. In the unlikely event that the specific nature of the breach and the advice from the ICO was such that it is deemed necessary to inform data subjects, The Audience Agency would liaise with data controllers as to the most appropriate means to achieve this, as they would likely have the most up to date customer contact details for customers, because The Audience Agency do not retain these, and because of the time lapse between data extractions.

What internal processes do you have for taking action in the event of a security violation?

We will undertake all means necessary to understand the precise nature of the security violation, in consultation with our IT services providers, and apply remedial action as necessary.

Have you (or any third party listed above) ever had a security breach and/or have you ever received correspondence, a notice or a complaint from any individual or regulatory authority, concerning the personal data you collect and/or store and/or process?

No.

Further information

If you require further info regarding GDPR compliance or the processing of personal data by The Audience Agency on behalf of our clients, contact dpm@theaudienceagency.org.