Comply group has been operated successfully across Australia since 23 May 2020 when the state of Victoria re-opened businesses with new contact tracing requirements. We've now adapted our technology for, and launched in the United Kingdom and created a global version (works in any country around the world)
Part of the expansion process into the UK and EU was GDPR compliance. Although Brexit has occurred, the UK is still adopting GDPR regulations until 31 December 2020. Here are some of the changes made to the platform for GDPR compliance.
The only tracking service we use is Google Analytics. According to GDPR guidelines, this service requires consent from the users before loading. Here's what we've done:
On all check-in pages (the pages shown to users), we have removed the Google Analytics script entirely. We didn't want to introduce a cookie consent screen into the process which would have added more steps to the customer flow going against the core purpose of the platform.
We have a feature allowing a customer to save their details in a cookie on their device for future check-ins. We have now introduced an intermediary page that explains how the save feature works, where the customer's data is stored, and a GDPR consent statement before proceeding.
There are still some cookies (session/CSRF and Cloudflare) loaded for customers on check-in pages. These cookies are "Technical Cookies" used for security (no tracking) purposes. Technical cookies of this nature are exempt from requiring consent from the end-user accordingly to GDPR regulations.
Logic-based consent (GDPR & CCPA)
For users that match Iubenda's guidelines for applying GDPR/CCPA, tracking scripts like Google Analytics are automatically disabled until the respective consent statement(s) has been accepted.
For users that do match Iubenda's guidelines for applying GDPR/CCPA, tracking scripts like Google are automatically enabled. That said, they have been configured to only receive anonymous traffic data.
IP address masking
All application and database logs use IP address masking. This means anywhere an IP address is accessed, before it's used in our platform the last part of the IP address is destroyed meaning the exact location of someone's internet area cannot be tracked. The rest of the IP address remains intact allowing us to roughly identify the City, State, and Country where someone is which is used for security purposes.