����̽̽

The European Union’s (EU) General Data Protection Regulation (GDPR) is set to take effect May 25, 2018. Now is a good time to discuss the capabilities ����̽̽ offers to help customers meet their GDPR obligations.  

What is GDPR?

In its most basic description, GDPR is a regulation designed to bring together and align various data protection laws across Europe. GDPR establishes the rights of EU persons to have a degree of control over their personal data and sets responsibilities for companies controlling or processing that data.

Sharing of Responsibilities Under GDPR

It is important to take some time to understand GDPR and your company’s responsibilities under the new regulation. GDPR defines two roles that establish the responsibilities for entities involved in data privacy: the controller and the processor. Per the GDPR page, a data “controller is the entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.”

Below we will discuss ����̽̽’s role as data processor and describe the various protections we have in place to help support your needs.

����̽̽ as the Data Processor

����̽̽ offers protections in two distinct areas as data processor: Security & Audits and Privacy. Specifically:

Security & Audits

����̽̽ maintains industry standard security over the data it processes. We undergo annual SOC 2 audits covering the security, confidentiality, availability, and data processing integrity control principles. ����̽̽ also undergoes annual SOC 1 audits.

����̽̽ also maintains a security incident response plan that includes notification of impacted customers if their data is compromised. ����̽̽ ensures this plan supports the requirements established by GDPR.

Privacy

����̽̽ works with a third-party privacy consulting firm called TrustArc (formerly TRUSTe) in the design and verification our privacy program, policies, and websites including the ����̽̽ Manufacturing Cloud. Our program is designed to meet the needs of customers worldwide, including the European Union. 

����̽̽ also assesses risks associated with vendors, including risks associated with privacy. For vendors that may come into contact with personal data, we verify their security controls and relevant positions on privacy (including adherence to Privacy Shield, for example).

Customer as the Data Controller

While ����̽̽ has data processor responsibilities under GDPR, customers are responsible for GDPR compliance requirements set forth for data controllers. It is important to carefully review your responsibilities via some of the many resources available online. Important responsibilities include:

Collecting Consent: For EU citizens whose personal data ����̽̽ customers collect, customers are responsible for collecting consent to process that data.

Right to be Forgotten: EU citizens will have the right under GDPR to have their personal data deleted. ����̽̽ customers can use ����̽̽ to delete records of employees if requested. 

System Access: PMC can be configured to restrict user access in accordance with customer policies. 

Activity Logs: PMC logs user account activity and reports are available to monitor user actions. ����̽̽ recommends customers conduct careful review of audit and security audit reports, including PMC activity audit log reports.

Security, Compliance, and Communication

As with all relevant regulations and standards, ����̽̽ takes its customers’ and its own security, privacy, and other compliance requirements seriously. ����̽̽ is dedicated to ensuring our cloud services remain a trusted tool for our customers. We will continue to share information related to GDPR and other security and regulatory issues as they come to our attention. Please do reach out to ����̽̽ via the Customer Community or your CSM if you have related questions.