What is GDPR?
The General Data Protection Regulation (GDPR) is a new set of privacy protections for EU citizens that goes into effect on May 25, 2018. While EU privacy protections have existed since 1995, GDPR is a drastic shift with wide-ranging implications. The details can be overwhelming, but here are the critical changes that will apply to your business:
Privacy protections apply to all companies, not just those headquartered in the EU.
The definition of "personally identifiable information" (PII) is expanded to include email address, IP address, device IDs, and more.
All usage of PII must be clearly opted-in by an informed user -- you cannot simply refer to some industry jargon in your terms of service. Users also have the right to opt-out ("the right to be forgotten"), not only from your system but from all of your vendors' systems. Withdrawal of consent has to be as easy as granting consent.
You are responsible for any vendors that process personal data from your customers, prospects, partners, etc. That means if your vendor has a data breach, you will be held liable.
Failure to comply carries the risk of massive fines: the greater of of €20 million or up to 4% of your global revenue.
You can read more at the official EU GDPR website.
How does this impact me?
As the above points show, GDPR will apply to you whether or not you do business in the EU. Even if your customers are all US citizens, GDPR applies to them any time they are within the boundaries of the EU. You should also expect that your customers, prospects and partners will demand to know if you are GDPR compliant as part of their own compliance efforts.
What this means is that you need to assess how your business is handling private information, and, just as importantly, how your vendors are handling personal information. Remember, under GDPR you are responsible for any data breaches in a vendor that processes your data.
The new rules also impact how you should assess any data vendors to understand how they comply. Again, GDPR requires that users understand and opt into usage of their personal data, and furthermore require evidence that such consent was given. If you are procuring personal data on EU subjects that does not meet those requirements, then you can be held liable for violating the GDPR.
How DataFox is Complying with GDPR
At DataFox we take security and privacy seriously, and welcome GDPR protections. Our compliance is built on two pillars:
First, we collect data on companies rather than individuals, and so do not store or process personal information. This means we do not store PII as part of our integrations, and do not pose a compliance risk of transferring PII into your system that violates GDPR protections.
Second, we have built security and privacy into the core of our platform. Our engineers and leadership come from enterprise software companies, and our customers work in highly-regulated industries like finance and government. We follow industry security best practices to protect your data, including military-grade encryption in-flight and at-rest. We have built a core permissioning system to control who can access your data, whether they are fellow users or internal employees. We've also undergone an independent SOC2 audit to publicly validate these controls, and are now SOC2 Type I certified. For more details, please see our security page.
Data Processing Agreements
GDPR requires that all processors and sub-processors of personal data also be compliant with privacy protections, so we are putting in place data processing agreements with our vendors.
We also have created a GDPR-compliant data processing agreement for our customers, so please contact your customer success manager or email firstname.lastname@example.org to request a version to sign.