EclecticIQ Blog

GDPR Due Diligence Recap

June 11, 2018

GDPR is finally in force! Has your inbox already returned to normal after the flurry of emails informing you about data policy changes? And surely by now you have read endless amounts of articles and blog posts that have told you how to be GDPR ‘compliant’?

We feel confident that there is not much that we can tell you that you haven’t read already. However, now that the dust has settled, we thought it would be a good exercise to look back at the pre-GDPR days. By giving you a quick walk-through of some of our due diligence activities, you have the opportunity to compare your experience to ours.

The previous regulations were drafted before the Internet played such a vital role in our day-to-day lives. Based on this fact alone, we found that it was a refreshing opportunity to challenge our company’s data privacy status quo across all teams and departments.

Obviously, as a security vendor, data security is dear to our heart. In a way, we considered GDPR preparations as a sort of spring clean that should be conducted by all organizations on a regular basis. Maybe you also found some silver linings along the way to GDPR compliance.

What we have done as a company

Like most companies we looked at all areas of our organization — inward and outward-facing — including our product and service offering, all with the following in mind:

GDPR affects any EU company that stores and processes personal data as well as any company outside the EU that processes personal data about EU citizens within EU states. They must comply with GDPR, even if they don’t have an EU presence themselves. GDPR demands that organizations provide a “reasonable” level of protection for personal data; although they don’t elaborate on what forms “reasonable”. Companies that fail to comply with GDPR are at a risk of incurring heavy penalties.

Corporate/Marketing

Although we are not legally obliged to do so, the first step we took as a company was to appoint a data protection officer with expert knowledge of GDPR to take the lead with regard to the implementation of the regulation and to inform and advise us about our protection obligations.

Additionally, we did the following:

  • Reviewed and updated our privacy policy and cookie policy.
  • Identified all sources of personal identifiable information (PII) storage and set up records of data processing activities.
  • For US-based cloud services providers, we checked for an active US-EU Privacy Shield agreement.
  • Included GDPR wording in our commercial contracts.
  • Entered into data processing agreements with most of our partners that have access to PII.
  • Implemented an ‘opt-in’ cookie consent banner on our website. Prior to receiving consent from the visitor, we do not load any trackers.
  • Obeyed the visitor’s browser DoNotTrack (DNT) setting. When switched on, we do not load any trackers, even when giving consent through the banner.
  • Expanded all forms on our website with a checkbox to explicitly accepting our privacy policy when submitting data.

Products and Services

GDPR takes a wide view of what constitutes PII. It is any information that directly or indirectly identifies a natural person. For instance, an IP address as well as traditional personal data such as name or social security number, constitutes PII.

Another important element of GDPR is that it gives EU citizens the ‘right to be forgotten’. Essentially, this means a company must erase their personal data when requested. In a security context, this means that the internal team must have the processes and capability in place to manage these data records and requests.

As a provider of security products and services, we are fully committed to ensuring that our customers and partners are able to comply with GDPR.

What’s next?

As mentioned before, this is not the end of the GDPR journey (check out our blog post on GDPR and State of the Art Technology). Constant reflection, regular data inventory and checks of security hardware and software have to be part of your organization’s routine. As this is a new era for all organizations affected by GDPR, it is good to exchange notes and learn from each other. Before you know it, this all will be part of your company’s DNA.

We hope you enjoyed this post. Follow our blog for more interesting reads on Cyber Threat Intelligence or check out our resource section for whitepapers, threat analysis reports and more.