Protecting our users’ information and privacy is extremely important to us. As a cloud-based security service, we’re fully committed to complying with the requirements of the General Data Protection Regulation (GDPR).
What is the GDPR?
The GDPR is a new data privacy law effective May 25th, 2018 that mandates how companies collect, modify, process, store, and delete the personal data originating in the EU for both residents and visitors.
We believe that the GDPR is a positive thing for individuals and brands, as it offers those affected the right to access their personal information or have it deleted entirely.
Measures Taken to Ensure Compliance
Security is the very center of Sucuri’s vision. Because of this, we employ cutting-edge encryption and technologies to safeguard the integrity and availability of our systems.
Our globally distributed team has worked meticulously to ensure that Sucuri’s products and services meet the requirements set forth by these new regulations. Measures we’ve taken to accomplish this include:
- Upgrades to our products and workflows to support data management.
- Updates to our contractual terms and services.
- Reviews of our existing processes in order to meet and exceed GDPR requirements.
Sucuri has always taken privacy very seriously. At the core of our privacy and security policy, we believe that data which does not exist cannot be tracked, stolen, or compromised.
We personally collect only the data necessary for business and security purposes, which already puts us ahead of GDPR guidelines, by storing the minimum amount of Personally Identifiable Information (PII) in our proprietary systems and cache.
How to Prepare for the GDPR
If you are a member of an organization or handle the personal data of citizens within the EU, we’ve documented a couple of steps that you can take to get started with GDPR compliance. This list should not be considered comprehensive, however, and a legal team should be consulted for your organization’s needs.
- Analyze and understand the legal framework for GDPR.
- Review your vendors, existing infrastructure, and any third-party applications you may use in order to familiarize yourself with the way that data flows within your business.
- Identify what types of personal data you process and understand who has access to it.
- Implement a plan for how you will modify, delete, and provide personal data upon request.
- Ensure that you obtain and record explicit consent for the collection and use of personal data. Pre-checked boxes and default acceptance of policies are not permitted within the GDPR.
- Designate an official data protection officer (DPO). This is required for some organizations, but optional for others.
- Provide evidence that your organization complies with the GDPR through documentation, which means writing down your procedures for handling personal data.
- Ensure that your data processing has a lawful basis and keep a record of it on hand.
- Review and update your site’s privacy policy to include detailed information on your data collection, use, and privacy practices.
Sucuri’s legal team and policy officers have reviewed the requirements for the GDPR extensively and will continue to monitor for new guidance on the implementation obligations and requirements. We will update this post with GDPR-related information as soon as it becomes available.
If you require a DPA (Data Processing Addendum), have any questions, or have a GDPR-related request, email us at gdpr@sucuri.net.