- Feb 5, 2019,
As many people are aware, General Data Protection Regulation (GDPR) goes into effect on May 25th, 2018, and brings with it a comprehensive series of user data privacy rules that apply across all 28 EU member states. These rules standardize how companies handle EU citizen’s personal data, create a baseline for the protection of such personal data, and provide citizens the ability to take control of their own personal data. Failure to comply with GDPR can be costly in terms of monetary fines (millions of euros for a single breach), as well as loss of goodwill with customers.
Capriza has always taken the handling of customer data very seriously and all our customers and end users – whether based in the EU or elsewhere – can be assured that as we continue to serve them we remain firmly committed to the principles of GDPR.
Over the past year, we’ve been working on this compliance, and although there’s no official certification for it (yet), we’re doing our part for when the regulation goes into effect. Preparation for GDPR touched many parts of our organization including: operations, legal, engineering, security, support and customer success.
As with any new regulatory mandate, a large part of the initial investment focuses on becoming informed and educated. GDPR is no different – it brings its own unique terminology, requirements, and processes.
Fortunately for us, our pre-existing ISO 27001 certification ensures we are already compliant with many of the Information Security (IS) controls required by GDPR which saved us valuable time and resources.
Similarly, the way in which we view our role with respect to customer data required minimal updates – primarily around the terminology from our prior Safe Harbor / Privacy Shield / EU Directive 95/46/EC language to the new GDPR terms. With regards to the scope of responsibility for personal data, in GDPR-speak there is the Controller (the one who controls the data), and the Processor (the one who acts on that data). So with our marketing communication efforts, Capriza is primarily the Controller and we bear the responsibility to communicate with end users. However, when it comes to our products, it’s our customers who act as the primary Controller and who bear the responsibility to communicate with their end users, so in that case Capriza is the Processor.
At the end of the day, we believe GDPR is good for everyone; End users can be rest assured that their personal data is safe and protected, and vendors will improve their cyber-safety and reputation as responsible business entities.