The European Union’s General Data Protection Regulation (GDPR) is on the radar of most companies, and that of course, includes OneLogin. One of our goals is to be early adopters of frameworks and regulations that will further strengthen our overall Security & Privacy Program, and by extension, our customers’. This has always included privacy, going back to our reporting on Generally Accepted Privacy Principles (GAPP) as part of our first SOC 2 report years ago, offering Data Processing Agreements immediately after Safe Harbor was invalidated, submitting to the Privacy Shield program shortly after it was made available, and being an early adopter of ISO 27018.
GDPR is a whole different animal. One of the best analogies I heard recently is that GDPR is akin to Sarbanes-Oxley in the naughts. In case you missed those glorious days, companies were scrambling to decipher what needed to be done, and it took many years for the dust to settle and for entities to properly calibrate their efforts. Even to this day, you will still run into situations were subjectivity comes into play and some additional calibration is needed. Therefore, when you hear entities claim that they are “GDPR ready”, take that with a grain of salt, because GDPR is still a moving target and guidance is still being released by the Article 29 Working Party that is very prescriptive.
Having said that, these are some of the major areas that OneLogin is working on and some of these will complete closer to May 2018.
Policies and Processes
Our long standing commitment to aligning to well respected privacy frameworks has made this effort minimal, however, one area that we spent a fair amount of time was taking a “blank page” approach to redrawing our data flows and building out very detailed data mapping diagrams (Article 30). This was a very useful exercise that any entity will find enlightening and you are bound to discover items that might have been overlooked if your diagrams are too high level.
Privacy requirements specific to contract language is something that is part of several security and privacy frameworks already, so it’s not surprising that it’s part of GDPR as well. Some of the contract verbiage that needed to be crystal clear included: - data breach notification language (Article 34) - use of subcontractors (Article 28) - responsibility of data processors relevant to data controllers (Article 28)
These changes have been incorporated into our standard MSA and Data Processing Agreement, and of course, we are always open to working with customers to get the right language in place that works for both parties.
Early on we had a sound plan for addressing the Data Protection Officer (DPO) requirement, but this is an example of Article 29 Working Party guidance (issued in late 2016), forcing best laid GDPR plans to change. To meet GDPR requirements, we are leveraging an independent external legal counsel based in the EU to serve as our DPO (Article 37-39).
Of course, a new regulation often prompts the birth of new certifications/attestations and there are also existing providers that have adapted existing programs to cover GDPR. We will undergo an independent review closer to May 2018 to make sure we have all our ducks in a row, and over time, a more official GDPR certification is bound to crystallize (Article 42).