The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe to protect and empower all EU citizens data privacy, and to reshape the way organizations across the region approach data privacy. Unlike its predecessor, the GDPR will be directly effective in European Member States without the need for implementing legislation. For more information, follow this very informative GDPR course by internet security specialist Troy Hunt.
The GDPR is not only relevant for Europe but also applies outside of the EU whenever: (1) an EU data subject’s personal data is processed in connection with goods/services offered to him/her; or (2) the behavior of individuals within the EU is “monitored”.
GDPR measures at Bright Answer
As part of our measures we have implemented the following:
Data Protection Officer: Appointment of a Data Protection Officer (DPO) role.
Data Breach Policy: We introduced a dedicated data breach policy and have reviewed all our suppliers to ensure that their breach notifications are at an acceptable standard.
Consent: We’ve made sure that all our partners, customers and users agree to providing their data on an opt-in basis (privacy by default).
Involved partners: We can confirm that our important partners, especially our hosting providers, are GDPR compliant.
Data Protection by design: We’ve implemented policies and features in our software solutions to ensure privacy is a first class citizen by design.
Encryption: We are in the process of implementing encryption for Personally identifiable information (PII). This is not a mandatory measure, but we aim to earn the trust of our customers by implementing data encryption on a subset of data.
The most penalizing parts of the GDPR are the ones the concern data breaches, so possibly, the most important thing of all is what we have been doing all along: creating a secure service. There are many checkboxes that need to be checked. But if you want to keep in mind just a single one, this would be it: Don’t get hacked.
That is why we have chosen to work with Platform.sh as our hosting provider. Platform.sh has many security layers that make attacks much harder than on comparable services. Starting from read-only hosts and containers, through to a auditable and reproducible build-chain, the static-analysis based protective block, a dynamic WAF, HTTPS by default, and a “no-insecure-protocols” iron-clad policy. Running our customers projects on Platform.sh means all systems are much less likely to get hacked, and therefore Bright Answer as well as our customers are much less likely to be liable under these very stringent new policies.
Data Portability Solutions and Data Management Tools
Customers have requested tools to help them comply with the GDPR. And we’re happy to say that we’ve built those tools.
Compliance-related tools include the following:
Data export tools: Individual users may access, and export all their different types of collected data.
Profile deactivation tool: Users may deactivate their accounts at any time.
Profile removal tool: Users can apply for complete erasure of themselves from our systems.