The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It replaces the 1995 EU Data Protection Directive, strengthening the rights that EU individuals have over their data, seeking to unify data protection laws across Europe.
Our users can count on the fact that ProFundCom is committed to GDPR compliance across ProFundCom’s services when the GDPR takes effect on May 25, 2018. We’ll make important updates to contractual commitments that directly address GDPR requirements. We’re also a committed partner in customers’ GDPR compliance efforts. Users can leverage ProFundCom services with confidence understanding the robust data protection capabilities built-in to ProFundCom’s systems.
Where do we stand?
We’ve worked diligently over the last decade to help our customers directly address EU data protection requirements. These efforts have been critical in our ongoing preparations for the GDPR:
Data processing terms: Strong data protection commitments between cloud providers and customers are fundamental to compliance. Our data processing terms for ProFundCom clearly articulate our privacy commitments to customers. We’ve evolved our terms over the years based on feedback from our customers and regulators. Our terms will be updated for the GDPR as well.
Third-party audits and certifications: We offer a number of third-party audits and certifications for ProFundCom. We undergo security audits, and have done so for several years. In 2016, we introduced two new security and privacy certifications, for cloud security and for protection of personally identifiable information in public clouds. These certifications, as well as other third-party audits such as SOC1, SOC2 and SOC3 cover numerous services within ProFundCom.
International data transfers: The GDPR, like the Data Protection Directive it will replace, includes provisions on international data transfer mechanisms. To address current EU data protection laws, ProFundCom are certified under Privacy Shield. We’ve also confirm that ProFundCom contractual commitments fully meet the requirements to legally frame transfers of data from the EU to the rest of the world, in accordance with the Data Protection Directive.
Data export: The GDPR includes certain requirements for the export of personal data. The data you store in ProFundCom is yours. We’ve included data portability commitments in our data processing terms for several years, and are continually working to enhance the robustness of our data export capabilities.
Incident notifications: GDPR contains requirements around breach notifications. ProFundCom have provided contractual obligations around incident notification for many years. With ProFundCom engineers dedicated to security, ProFundCom has and will continue to invest in our security, incident response, threat detection and prevention capabilities.
We’re working to make additional operational changes in light of the new legislation, and will collaborate closely with our customers, partners and regulatory authorities throughout this process. We have a team of regulatory compliance specialists, product managers, engineers, counsel and public policy specialists who continue to carefully monitor GDPR implementation guidance, and will update our contractual commitments accordingly. We’ll make our updated data processing amendment available to our customers soon. We’re also producing additional materials to assist customers with their due diligence efforts as they prepare for GDPR.