General Data Protection Regulation (GDPR) is a piece of regulation intended to improve data protections within the European Union (EU). The creators of the regulation want to give citizens greater control over their personal data and make it easier to regulate data handling by making regulations consistent across the Union’s 28 member states.
The current directive in the EU defines personal data as “any information relating to an identified or identifiable natural person.” However, this regulation has left open a few issues that the GDPR hopes to resolve. But because the GDPR deals with the protection of personal data, the regulation attempts to clear up some ambiguities regarding what data types fit within the scope.
In clarifying the definition of personal data, this new regulation’s authors have included a wide net to include such data types as online identifiers, location data, IP addresses, pseudonymous data, biometric data, and genetic data.
ChaosSearch has been reviewing its responsibilities and has an internal cross-function team working with appropriate external expertise to ensure compliance now, and will continue this initiative into the future. For more information, here’s a link to the official GDPR portal.
There are a number of important measures implemented to enhance protection of personal data.
Failure to comply with GDPR regulations can result in warnings, audits, and even fines of up to 20 million euros.
Although the General Data Protection Regulation measures are to be enforced within the EU, the scope extends not only to EU-based organizations but also to international companies that process data within the union, including US-based companies doing business in the EU. This means many companies in the United States doing business with certain European countries must also maintain compliance.
While the GDPR has significant overlap with the previously adopted NIS Directive, the latter involved a more limited scope, which made it less of a concern for companies outside of the EU. The NIS Directive, for instance, dealt only with providers of essential services or digital service providers, while the GDPR involves any organization processing personal data. And the NIS Directive limited breach notification requirements to events posing significant risks to data protections, while the GDPR extends its scope to all breach events.
Where are we now?
ChaosSearch has been reviewing its responsibilities and has an internal cross-function team working with appropriate external expertise to ensure compliance now, and will continue this initiative into the future.
All employees of ChaosSearch are aware of GDPR and ChaosSearch program to remain compliant as a Data Service Provider.
All relevant data held by ChaosSearch's SaaS products have been reviewed as being necessary to support the functionality of ChaosSearch's SaaS products.
ChaosSearch's SaaS products are implemented on Amazon Web Services. The European Union (EU) data protection authorities known as the Article 29 Working Party has approved the AWS Data Processing Agreement (DPA), assuring customers that it meets the high standards of EU data protection laws.
No other third parties are presently involved in ChaosSearch's service in handling data regulated by GDPR.
ChaosSearch has appointed a Data Protection Officer, who can be contacted at firstname.lastname@example.org.
As a Data Processor, ChaosSearch is required to assist Data Controllers to fulfill their responsibilities.
Data Controllers can use ChaosSearch's SaaS product’s administrative capabilities to access, rectify, restrict the processing of, or delete any data that they and their users put into ChaosSearch's products. This functionality will help them fulfill their obligations to respond to requests from data subjects to exercise their rights under the GDPR.
Further, ChaosSearch has defined procedures to manually or otherwise assist any request from a Data Controller to fulfill their responsibilities.
ChaosSearch has robust procedures in place for handling any event in this category. After review, these meet and exceed the requirements of GDPR.
ChaosSearch is committed to information security best practices. In line with GDPR, ChaosSearch assesses the measures required in its products based on factors like data sensitivity, impact, risk, and available technology.
Security is a core requirement of, and a guiding mantra in the design of any component of ChaosSearch's products, including encryption of data whilst in-flight and at rest, continuous vulnerability and penetration testing of systems and “firewalled” DevOps procedures to ensure security.
Customers of ChaosSearch can elect to have their data stored within the EU or other global locations. ChaosSearch assures that the customer’s data will remain in the region selected.
If you have further questions, you may contact Scalable at email@example.com.