The European Union's General Data Protection Regulation (GDPR)—a significant milestone in European data protection legislation—will go into effect on May 25, 2018. The GDPR reinforces the fundamental privacy rights of EU residents and seeks to unify data protection rights across the EU, regardless of where the data is processed. The GDPR is relevant to any globally operating company and not just EU-based businesses and EU residents. At Site24x7, we care deeply about the privacy and security of all customer and performance data sent to Site24x7 for processing, so we plan to implement GDPR controls as our baseline standard for all our operations, worldwide. This page will go into detail about the various provisions and security measures that Site24x7 has implemented to help with GDPR compliance.
The GDPR, in brief.
The GDPR is a set of key legislations governing privacy for individuals and organizations operating in, or doing business with, residents of the EU. Once the GDPR is in place, individuals and businesses are liable for the safety of their customers' information, and they are subject to penalties for any mishandled breaches. The GDPR re-emphasizes the existing data protection principles in the EU and adds new guidelines that are designed to expand legal and privacy rights protections for EU residents. These requirements, which aim to provide individuals with more visibility over how their personal data is handled, not only require organizations to enhance their security strategies to ensure data security at all levels, but also outline post-breach strategies to minimize the impact of an attack.
There are four key stakeholders under the GDPR. They consist of:
- Data subjects: Any natural person residing in the EU who is the subject of data.
- Data controller: Determine the purpose and means of processing data.
- Data processors: Process data on the instructions of a controller.
- Supervisory authorities: Public authorities who monitor the application of the regulation.
Customer-centric data such as user emails, IP addresses, domain names, usernames and passwords of URLs being monitored, third-party service keys, and webhook URLs are encrypted by default.
Data portability is one of the most important right offered to a data subject. At Site24x7, we allow secure porting of customer data, even when transferring monitoring data from our US data centers to EU data centers, and vice versa. After logging into the account, a user with sufficient privileges can securely export a list of account users along with other monitoring data to a CSV.
Site24x7 processes personal data on behalf of a data controller, which means it falls into the category of data processors. For example, Site24x7 processes personal data for its customers in the course of providing uptime and performance monitoring of IT resources. Data processors are mandated to protect the stored personal data of customers. Site24x7 takes care of the following aspects concerning customer data:
- Email and phone number confirmation: Any Site24x7 user will start receiving email, SMS, or voice-based alerts and reports, only after they successfully verify their email or phone number.
- Opt out from email and phone alerts: Users can report abuse or opt out of emails concerning monitor status alerts, monitor configurations, and performance reports by accessing the unsubscribe link at the footer of these emails. Additionally, users can click the opt-out link provided in the verification SMS to unsubscribe from all SMS and voice-based alerts.
Site24x7 is committed to GDPR readiness.
Site24x7 is well aware of the GDPR and its implications both for us and our customers. Here are some key highlights of Site24x7 that are specific to the GDPR:
Right to access.
Any time personal data is accessed (including read and write operations), it's thoroughly audited on our end.
Right to rectify.
Customers with requisite user permissions can manually log in to Site24x7's web client using their valid credentials and correct their inaccurate or incomplete personal data. Additionally, they can update any personal data using our documented RESTful APIs.
Right to erasure.
Once a user initiates termination of their Site24x7 account, Site24x7 will retain all this user's data for 30 days before erasing it completely.
Right to data portability.
Users can request Site24x7 to securely migrate their data from our data centers in the US to the ones in the EU, and vice versa, without affecting the usability of that data. Users can also securely log in to their account and export both the sub-users list, the monitor meta data and the reporting data in CSV format. The sub-users list includes information on data subjects and the monitors list includes information on monitored networks and resources.
The GDPR covers all citizens and residents within the European Union, and every organization within the EU is mandated to comply with GDPR guidelines. This regulation also clarifies how the EU's personal data laws apply even beyond the borders of the EU. Any organization that works with EU citizens' personal data in any manner, irrespective of location, has obligations to protect that data. Organizations that are found to be non-compliant, or have breached the regulation, may face a fine of up to €20 million or 4 percent of their global annual turnover of the preceding financial year.