Security has been at the core of the Sumo Logic platform since day one. Security, Compliance, Governance, Privacy and Risk have always been key components in all aspects of our service and business, and this is no exception as we prepare for European Union General Data Protection Regulation (EU GDPR).
How are we preparing? Like many other organizations around the world, there are a number of steps we are taking as we work towards GDPR compliancy. This blog will outline some of these steps and why they’re so critical to GDPR.
Global Privacy Program
We are working to expand our privacy program to meet the needs of EU GDPR as well as future Privacy Laws or Regulations. Privacy has long been an important pillar in programs, however with the rapidly growing areas of Big Data and the Internet of Things (IoT) the need to clearly call out how individuals data is being used and where it is stored is more important than ever.
As part of this initiative, we have hired a Data Protection Officer (DPO) to lead the program. The DPO and information security team have also consulted with a privacy attorney to discuss our roadmap and ensure we are on the best path to EU GDPR compliance. Additionally, she will be attending IAPP Training in London and obtaining her CIPP/E (Certified Information Privacy Professional/Europe) & CIPM (Certified Information Privacy Manager) Certifications.
Some of the steps we are taking to ensure we are doing our due diligence and ensuring not only our compliance but that of our customers, is to work with all of our vendors and validate they are also working towards compliance with EU GDPR.
Data Protection Agreement
We also have a Data Protection Agreement (DPA) we will sign with customers to give them assurance that we will meet the May 25, 2018 deadline. We believe taking these steps are critical and allows us to provide our customers with confidence that Sumo Logic has done everything we can to ensure EU GDPR compliance.
Privacy by Design
Some other key processes and integrations we are working on are expanding our Security by Design to Security & Privacy by Design. Per Article 25 Privacy will be considered in every phase of our product and in all aspects of our business.
Privacy training has been integrated into our new hire training, annual training and ongoing communications. We will be working to ensure the entire organization understands EU GDPR as well as develop deeper, targeted trainings for specific portions of the law that apply to individual groups.
Policies & Processes
We are working to update and incorporate Data Protection & Privacy into our Information Security Management System (ISMS) as well as expand our Impact Assessments to include a Data Protection Impact Assessment (DPIA) and better define and document the way we perform Data Mapping.
Lastly, while currently there is no official certification for EU GDPR today, we are engaging with third parties to validate our controls and will provide an independent attestation of controls in early Summer 2018.
You may find this relevant: