Your GDPR Compliant Communication Platform

The GDPR deadline went into effect on May 25, 2018. Start your journey to GDPR readiness by using a secure communications platform that is already compliant.

Background

The GDPR was designed to harmonize data privacy laws across Europe to protect citizens’ personal data and stand on a united front regarding every organization’s approach to safeguarding the processing of personal data. It was approved on April 14, 2016 and will be enforced May 25, 2018.  

Despite it being an EU regulation, this law doesn’t only affect European countries. Any vendors and suppliers that work with countries in the EU must comply with the GDPR as well, making this an imperative global initiative for most companies. Any organization in violation will face fines up to 20 million euros or 4% of annual global turnover (whichever is greater).

Beekeeper's Journey to GDPR Compliance

Beekeeper is already compliant, offering a secure communication platform that protects employee and client data. Our customers' right to privacy and ensuring personal data is secure is our top priority, so we built a team to make sure every box was checked, under the lead of our Data Protection Officer (DPO). We started assessing the impact of GDPR on Beekeeper in May 2017, a full year before the deadline.

Here is an overview of our roadmap and accomplishments:

  • April 2017: Beekeeper appoints Dr. Amir Ameri as the DPO
  • May 2017: DPO leads a comprehensive internal assessment of GDPR readiness
  • June 2017: Beekeeper Security Architecture review 
    •    - An external third party company performed an internal Security Architecture review
       
  • July 2017: Beekeeper Board of Governance 
    •    - Set GDPR compliance as a company goal and approved all financial requirements to close any gaps
       
  • August 2017: GDPR organizational measures completed
    •    - Process refinements: Data minimization, right to be forgotten, incident notification, data access requests, along with other points are all regulatory requirements with an impact on processes relevant to privacy.
    •    - Privacy Impact Assessments (PIA): Included as part of the product and services development life cycle at the design stage. What does this mean? Basically, Beekeeper product and services are assessed and signed off by the DPO, in accordance with the privacy requirements. Privacy by Design controls are used as the building blocks for any new feature, product, or service that Beekeeper offers
    •    - Data Processing Agreement (DPA): Beekeeper provides its customers with the DPA, a contractual obligation towards meeting technical and organizational measures for data processing within the framework of data protection and privacy regulations
    •    - Rules around receiving and revoking "Consent" were adapted
    •    - 24/7 availability of our security on-call process for incident management
       
  • September 2017: GDPR technical measures led by an engineering task force
    •    - Started planning for encryption at rest at all data centers globally. This includes encryption of the database, previously only available in Switzerland
    •    - Review a copy of our Product & Services Encryption Overview
    •   - Anonymization utilities expanded to meet stringent GDPR requirements for data minimization
    •   - Search capabilities extended to meet stringent GDPR requirements for data minimization and the right to be forgotten
       
  • October 2017: Technical implementations
    •    - Established encryption at rest for all data centers
    •    - Architectural Security Assessment findings corrected
       
  • November 2017: Access Control
    •    - Rolled out intrusion detection systems on the hosts
    •    - Unified Global Access Control 
    •    - BACS: Architected Beekeeper Access Control System for additional layers of authorization
    •    - Evidenced Statement of Applicability for ISO 27001 certification process
       
  • December 2017: Audit and Compliance
    •    - Started internal audit in accordance with ISO 27001 Control Objectives
    •    - Audit of access control roles
    •    - Enhancements added to logging and monitoring capabilities
    •    - Beekeeper is fully prepared for the GDPR!
       
  • Q1 2018: Beekeeper AG Product and Services organization will officially begin the process of ISO 27001 Certification
 

How Does This Affect Beekeeper Customers?

GDPR is a far-reaching regulation and has no limits to protecting personal data. What does this mean for our customers? Controllers, as the data owners, are held responsible. Shifting responsibility will not shift accountability.

Beekeeper is well aware of this fact and, as a SaaS offering and recognized data processor, has implemented technical and organizational measures to ensure that Beekeeper product and services will reduce its customers’ risk significantly in the digital workplace.
 

9 Facts You Need to Know About the GDPR

1. The GDPR is applicable to all companies processing European Union (EU) citizen's personal data, regardless of where the company is located.

2. Fines up to 20 million euros or 4% of annual global turnover (whichever is greater) may be levied in case of repeat and non-compliance to the regulation.

3. EU citizens will have a right to approach the data protection authority of their choice when stating their complaint.

4. Personal Data is defined with a wider scope, including social, mental, genetic, cultural, and economic data.

5. The Right to be Forgotten will have an impact on company processes dealing with data collection, such as the purpose for obtaining the data. It will require advanced tools in dealing with search requirements.

6. Privacy Impact Assessments will become mandatory and influence use of Privacy by Design principles to enhance both commercial and in-house developed tools, processes, and products dealing with Personal Data.

7. Concept of Consent is reworked and made more stringent in its utilization.

8. The Data Protection Officer (appointed internally or externally) becomes a mandatory role for any organization, or fines up to 10 Million Euros or 2% of Global turnover may be levied.

9. Incident Management and Notification for a data breach is standardized by the GDPR. A maximum of 72 hours is permissible before reporting becomes obligatory.

If you have any questions, please contact us at dpo@beekeeper.io.
 

WHY GDPR WILL BE CRITICAL IN 2018

Asset 2
Thumbnail

Executives now face a sprint of thorough internal evaluations to revamp policies around collection, storage, or usage of EU resident personal data. The financial implications of breaching GDPR are astronomical. We recommend mapping all data assets and appointing dedicated Data Protection personnel on a full-time or contract basis to properly oversee the adoption of high-caliber data protection processes and technologies.

Dr. Amir Ameri, Global Head of Risk & Compliance & Data Protection Officer, Beekeeper