In May 2018, a European privacy law, the General Data Protection Regulation (GDPR), is due to take effect. The GDPR imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents.
Preparing for the GDPR
The EU GDPR has updated requirements that are significant and Clarizen’s security teams have systematically reviewed all requirements under the GDPR and adjusted internal systems and processes, as necessary, to continue to meet global and European compliance requirements.
Clarizen’s legal team has been working consistently to ensure Clarizen EU data protection requirements and commitments are in place before the May 25, 2018 deadline.
Our commitment to protecting customer data
Clarizen sees the GDPR as the most recent step forward in streamlining data protection requirements across the EU and an opportunity to deepen our commitment to customer data security.
Starting in 2017, Clarizen analyzed the requirements of the GDPR; we have been working to make all the necessary enhancements to our products, contracts, and documentation to support compliance with GDPR. These efforts document our commitment to comply with all applicable requirements of the GDPR in the delivery of our SaaS products to our customers.
Our Security Infrastructure and Certifications
We understand that your projects and data are core to your company’s future and competitive advantage. That’s why we devote significant resources to keeping your information secure, private, and only accessible to you and your designated agents.
Please see our security page for more detailed information on how we approach security and review our Security whitepaper which details how we ensure user data security in particular as it applies to our in place third party certifications such as:
- CSA – Cloud Security Alliance
- ISO 27001:2013
- UK G-Cloud
Data portability and the right to be forgotten
Clarizen has worked to develop tools to allow each customer to respond in a timely manner to all data deletion requests.
Under GDPR, an EU citizen has the right to demand an organization erases their personal data if:
- the data is no longer relevant to the reason it was collected;
- if the customer organization withdraws their consent for data to be used (and if the organization has no other legal basis for collecting it);
- if the data’s erasure is necessary to comply with a legal obligation;
Clarizen has developed tools and processes to comply with the GDPR requirement and encourages all individuals to contact their account managers to address data deletion requests.
Who does the data protection law apply to?
• a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
a company established outside the EU offering goods/services (paid or for free) or monitoring the behavior of individuals in the EU.
How does GDPR apply to Clarizen?
The application of the data protection regulation depends not on the size of the company but on the nature of processing activities and the potential for storage of personally identifiable information (PII).
The GDPR expands the privacy rights of EU individuals and places new obligations on all organizations that market, track, or handle EU personal data. As stewards for our customer’s confidential data, Clarizen will continue its commitment to implementing and maintaining the highest standards for data security under the GDPR and industry best practices.
Activities that present high risks for the individuals’ rights and freedoms, whether they are carried out by Clarizen or by a large corporation, trigger the application of more stringent rules.
Clarizen’s security teams have systematically reviewed all requirements under the GDPR and adjusted internal systems and processes, as necessary, to meet those requirements.
However, as stewards that do not process any of our customer’s data, some of the obligations of the GDPR may not apply to Clarizen and our SaaS products.
For instance, companies with fewer than 250 employees, like Clarizen, are not required to keep transaction level records of processing activities unless that processing of personal data is:
- a regular activity,
- poses a threat to individuals’ rights and freedoms,
- or concerns sensitive data or criminal records
Similarly, companies with fewer than 250 employees will only have to appoint a Data Protection Officer if processing is their main business and it poses specific threats to the individuals’ rights and freedoms (such as monitoring of individuals or processing of sensitive data or criminal records) in particular because it’s done on an ongoing and enterprise large scale.
Clarizen has historically maintained industry best practice security, infrastructure, and application logs for all of its offerings and will continue to do so under the GDPR.
Clarizen’s DPO responsibilities are shared between the CISO, General counsel, and its compliance team.
Key changes under GDPR
Individuals have the right to:
- Access their personal data
- Correct errors in their personal data
- Erase their personal data
- Object to processing of their personal data
- Export personal data
Controls and notifications
Organizations will need to:
- Protect personal data using appropriate security
- Notify authorities of personal data breaches
- Obtain appropriate consents for processing data
- Keep records detailing data processing
Organizations are required to:
- Provide clear notice of data collection
- Outline processing purposes and use cases
- Define data retention and deletion policies
IT and training
Organizations will need to:
- Train privacy personnel and employees
- Audit and update data policies
- Employ a Data Protection Officer (if required)
- Create and manage compliant vendor contracts