RedShield's Approach to GDPR Compliance


The European Union's General Data Protection Regulation (GDPR) has come into full effect. This new regulation will have a profound impact for companies that perform business functions that involve the sensitive personal information of EU zone residents.


For most organisations, this new regulation will signal a number of changes in the way personal data is protected and how breaches are reported. We outline here how RedShield has approached this regulation, how it has integrated controls that address the requirements of a Data Processor, and how it complies to the requirements of the regulation.


Protecting our customers' information and the privacy of their users' is extremely important to us. As a cloud-based company RedShield are trusted with some of our customers' most valuable data, we set high standards for security.



RedShield GDPR

Preparing for the GDPR


RedShield is first and foremost a security company, with roots in penetration testing, security compliance, and auditing. Operating in the role of a Data Processor for our clients, RedShield fully understands the implications of data loss for an individual, and the impact this can have for an organisation entrusted with sensitive personal information. For these reasons, RedShield welcomes this additional regulation that:


• Protects the rights of individuals and their ability to control, update, withdraw, and transfer information held about them by organisations,
• Requires organisations to demonstrate a high level of due diligence when it comes to the handling and protection of sensitive information,
• Enforces an enhanced level of reporting on compliance, as well as any security breach of personal information.


Data Processors under the regulation are responsible for processing personal data on behalf of a controller. Any non-compliance, whether realised in a breach or not, could attract sanctions for both parties under the regulation.


RedShield acknowledges the GDPR’s extended requirements, they are significant, and the global team is working to ensure our shielding solution and contractual commitments are in line with the regulation. Amongst the measures we are taking to ensure this are the following:


• Adjustment of contracts with relevant companies to make sure that the new regulation is accounted for,
• Enhancements to our internal tools and processes specifically to address core aspects of the regulation,
• Continuous investment in our infrastructure and the components required to secure it.


RedShield also monitor industry guidance for GDPR from privacy-related regulatory bodies. We can attest that all appropriate technical and organisational measures have been implemented within the organisation in order that data processing meets, or exceeds, the requirements of the GDPR and protects the rights of EU data subjects.


It's also true that RedShield are in a good position to assist businesses comply with their own GDPR requirements as Data Controllers. As an example, in the instance where data is at risk due to unresolved vulnerabilities in web applications, shielding is a quick, effective and inexpensive means to mitigate these risks; ahead of longer term application upgrade cycles.



Data Management Tools


RedShield does not track or monitor the activities of individual users of our subscriber sites, however personally identifiable information may be recorded within our processing facilities.


Because of this, and to help with compliance to the GDPR, we’ve built tools that allow us to identify personal data in our environment, and to remove it. This information category is not part of RedShield's business model and does not facilitate the achievement of our business goals. Our data logging policies require the removal of all online log data after a pre-defined period, but if a requirement to react faster is needed we have the processes in place and tested to support it.



Summary


The GDPR places direct obligations on data processors, with respect to requirements as well as sanctions for instances of non-compliance. To ensure alignment, RedShield have implemented appropriate technical and organisational measures to ensure that a level of security, appropriate to the risk to any personal information it may collect, is in place.


As well as making sure that RedShield is compliant to GDPR itself, it's also able to assist clients ensuring that the data they control is secured.


This page will be revised to reflect GDPR-related information as it becomes available. If you have any questions about GDPR and RedShield's compliance activities please contact us.


Our ongoing commitment to protecting the confidentiality, integrity, and availability of data and its processing systems is at the core of the service RedShield provide.



Resources


• RedShield’s Privacy Policy - https://redshield.co/privacy.html

• Full text of the GDPR - https://gdpr-info.eu/