Streamlining Data Subject Requests for GDPR Compliance | AppsFlyer
3 Min. Read

Streamlining Data Subject Requests for GDPR Compliance

Product Update Highlights
You can now test your integration with AppsFlyer’s GDPR Request API via the stub (test) API.

Karen Cohen May 02, 2018

The European Union’s General Data Protection Regulation is taking effect in just a few weeks. Over the last year, we’ve been working hard — collecting input from clients around the world, implementing rigorous technical measures and working with leading third party consultants to provide diligent GDPR compliance across our solutions and teams.

As a trusted business built on data, data privacy and security have always been at our core. Now, the GDPR has raised the bar even higher.  

As part of our commitment to data protection, we recently rolled out a set of new privacy and security features; launched new, robust and secure iOS and Android SDKs, provided SDK opt-in/opt-out and encryption options, and even introduced OpenGDPR; all with the aim of helping our customers build a connected and compliant digital marketing stack.

Today, we are excited to launch our GDPR Request API. This new API will provide account admins with a powerful and efficient tool to fulfill data subjects’ GDPR requests with minimal development efforts. The GDPR request API will help you programatically address the following user requests:

  • Right to Access: Provides a copy of the processed personal data to the data subject.

  • Right to Erasure (aka the right to be forgotten): Permanently deletes all personal data associated with the data subject.

  • Right to Rectification: Deletes outdated/incorrect personal data and updates data where applicable.

  • Right to Portability: Provides a copy of processed personal data in a structured, machine-readable CSV format.


Streamlining GDPR Data Subjects’ Requests Processes

Under Article 12.3 of the GDPR, data controllers must respond without undue delay, and have up to 30 days to respond to data subject requests. Accordingly, AppsFlyer GDPR Request API works as follows:

  1. When a data subject request is submitted through the AppsFlyer GDPR Request API, our system first queues the request for 48 hours (in pending mode). By queuing the request, we provide data controllers with the ability to cancel or modify requests (within the 48-hour time frame). Remember, once a request such as data erasure is processed and fulfilled, it is irreversible and can impact your raw data reporting and attribution data.
  2. After 48 hours, AppsFlyer will start processing the request. At this stage, requests cannot be cancelled anymore. The API can be queried on demand to check the status of any request by specifying the “subject request  ID”.

    When queried, the API will return one of the following responses:

    1. Pending: A correct request has been received and is currently in queue (first 48 hours)
    2. In_progress: The request is currently being acted on
    3. Completed: The request has been fulfilled
    4. Cancelled: The request has been cancelled

  3. When requests are fulfilled, the API will return a confirmation postback. All request logs are available for account admins in the AppsFlyer dashboard under GDPR Request Logs. This includes CSV files with the user’s personal data which can be downloaded where applicable.

GDPR Request API: Start Integrating and Testing Today!

As the GDPR deadline looms, now’s the time to get your company ready. When the GDPR begins to be enforced, you could be faced with thousands, or even millions, of these user requests.

To help you prepare, we have built and implemented a stub (test) API so you can begin integrating our API and testing it out right away.

The stub API has the same capabilities as our GDPR Request API and will improve your ability to QA your API setup with faster, more reliable tests. However, unlike the live API, the stub API sends automated postbacks in real-time: ‘pending’, ‘in_progress’, ‘completed’ postbacks will be sent at 30 seconds intervals.

The GDPR requires that both AppsFlyer, as a data processor, and you, as a data controller, fulfill the requirements of the GDPR. As such, we strongly recommend that all marketers and developers start integrating and testing the AppsFlyer GDPR Request API today.

To learn more about AppsFlyer GDPR Request API, click here or contact your AppsFlyer success manager.