Your GDPR Compliant Communication Platform
The GDPR deadline went into effect on May 25, 2018. Start your journey to GDPR readiness by using a secure communications platform that is already compliant.
The GDPR was designed to harmonize data privacy laws across Europe to protect citizens’ personal data and stand on a united front regarding every organization’s approach to safeguarding the processing of personal data. It was approved on April 14, 2016 and will be enforced May 25, 2018.
Beekeeper’s Journey to GDPR Compliance
Beekeeper is already compliant, offering a secure communication platform that protects employee and client data. Our customers’ right to privacy and ensuring personal data is secure is our top priority, so we built a team to make sure every box was checked, under the lead of our Data Protection Officer (DPO). We started assessing the impact of GDPR on Beekeeper in May 2017, a full year before the deadline.
Here is an overview of our roadmap and accomplishments:
May 2017: DPO leads a comprehensive internal assessment of GDPR readiness
– Download the GDPR Compliance Assessment Tool
June 2017: Beekeeper Security Architecture review
– An external third party company performed an internal Security Architecture review
July 2017: Beekeeper Board of Governance
– Set GDPR compliance as a company goal and approved all financial requirements to close any gaps
August 2017: GDPR organizational measures completed
– Process refinements: Data minimization, right to be forgotten, incident notification, data access requests, along with other points are all regulatory requirements with an impact on processes relevant to privacy.
– Privacy Impact Assessments (PIA): Included as part of the product and services development life cycle at the design stage. What does this mean? Basically, Beekeeper product and services are assessed and signed off by the DPO, in accordance with the privacy requirements. Privacy by Design controls are used as the building blocks for any new feature, product, or service that Beekeeper offers
– Data Processing Agreement (DPA): Beekeeper provides its customers with the DPA, a contractual obligation towards meeting technical and organizational measures for data processing within the framework of data protection and privacy regulations
– Rules around receiving and revoking “Consent” were adapted
– 24/7 availability of our security on-call process for incident management
September 2017: GDPR technical measures led by an engineering task force
– Started planning for encryption at rest at all data centers globally. This includes encryption of the database, previously only available in Switzerland
– Review a copy of our Product & Services Encryption Overview
– Anonymization utilities expanded to meet stringent GDPR requirements for data minimization
– Search capabilities extended to meet stringent GDPR requirements for data minimization and the right to be forgotten
October 2017: Technical implementations
– Established encryption at rest for all data centers
– Architectural Security Assessment findings corrected
November 2017: Access Control
– Rolled out intrusion detection systems on the hosts
– Unified Global Access Control
– BACS: Architected Beekeeper Access Control System for additional layers of authorization
– Evidenced Statement of Applicability for ISO 27001 certification process
December 2017: Audit and Compliance
– Started internal audit in accordance with ISO 27001 Control Objectives
– Audit of access control roles
– Enhancements added to logging and monitoring capabilities
– Beekeeper is fully prepared for the GDPR!
Q1 2018: Beekeeper AG Product and Services organization will officially begin the process of ISO 27001 Certification
How Does This Affect Beekeeper Customers?
GDPR is a far-reaching regulation and has no limits to protecting personal data. What does this mean for our customers? Controllers, as the data owners, are held responsible. Shifting responsibility will not shift accountability.
Beekeeper is well aware of this fact and, as a SaaS offering and recognized data processor, has implemented technical and organizational measures to ensure that Beekeeper product and services will reduce its customers’ risk significantly in the digital workplace.
Executives now face a sprint of thorough internal evaluations to revamp policies around collection, storage, or usage of EU resident personal data. The financial implications of breaching GDPR are astronomical. We recommend mapping all data assets and appointing dedicated Data Protection personnel on a full-time or contract basis to properly oversee the adoption of high-caliber data protection processes and technologies.