Your GDPR Compliant Communication Platform

Background

The GDPR was designed to harmonize data privacy laws across Europe to protect citizens’ personal data and stand on a united front regarding every organization’s approach to safeguarding the processing of personal data. It was approved on April 14, 2016 and will be enforced May 25, 2018.  

Beekeeper’s Journey to GDPR Compliance

Beekeeper is already compliant, offering a secure communication platform that protects employee and client data. Our customers’ right to privacy and ensuring personal data is secure is our top priority, so we built a team to make sure every box was checked, under the lead of our Data Protection Officer (DPO). We started assessing the impact of GDPR on Beekeeper in May 2017, a full year before the deadline.

Here is an overview of our roadmap and accomplishments:

May 2017: DPO leads a comprehensive internal assessment of GDPR readiness
– Download the GDPR Compliance Assessment Tool 

June 2017: Beekeeper Security Architecture review 
– An external third party company performed an internal Security Architecture review 

July 2017: Beekeeper Board of Governance 
– Set GDPR compliance as a company goal and approved all financial requirements to close any gaps

August 2017: GDPR organizational measures completed
– Process refinements: Data minimization, right to be forgotten, incident notification, data access requests, along with other points are all regulatory requirements with an impact on processes relevant to privacy.
– Privacy Impact Assessments (PIA): Included as part of the product and services development life cycle at the design stage. What does this mean? Basically, Beekeeper product and services are assessed and signed off by the DPO, in accordance with the privacy requirements. Privacy by Design controls are used as the building blocks for any new feature, product, or service that Beekeeper offers
– Data Processing Agreement (DPA): Beekeeper provides its customers with the DPA, a contractual obligation towards meeting technical and organizational measures for data processing within the framework of data protection and privacy regulations
– Rules around receiving and revoking “Consent” were adapted
– 24/7 availability of our security on-call process for incident management

September 2017: GDPR technical measures led by an engineering task force
– Started planning for encryption at rest at all data centers globally. This includes encryption of the database, previously only available in Switzerland
– Review a copy of our Product & Services Encryption Overview
– Anonymization utilities expanded to meet stringent GDPR requirements for data minimization
– Search capabilities extended to meet stringent GDPR requirements for data minimization and the right to be forgotten

October 2017: Technical implementations
– Established encryption at rest for all data centers
– Architectural Security Assessment findings corrected 

November 2017: Access Control
– Rolled out intrusion detection systems on the hosts
– Unified Global Access Control 
– BACS: Architected Beekeeper Access Control System for additional layers of authorization
– Evidenced Statement of Applicability for ISO 27001 certification process 

December 2017: Audit and Compliance
– Started internal audit in accordance with ISO 27001 Control Objectives
– Audit of access control roles
– Enhancements added to logging and monitoring capabilities
– Beekeeper is fully prepared for the GDPR! 

Q1 2018: Beekeeper AG Product and Services organization will officially begin the process of ISO 27001 Certification

How Does This Affect Beekeeper Customers?

GDPR is a far-reaching regulation and has no limits to protecting personal data. What does this mean for our customers? Controllers, as the data owners, are held responsible. Shifting responsibility will not shift accountability.

Beekeeper is well aware of this fact and, as a SaaS offering and recognized data processor, has implemented technical and organizational measures to ensure that Beekeeper product and services will reduce its customers’ risk significantly in the digital workplace.

If you have any questions, please contact us at dpo@beekeeper.io.