General Data Protection Regulation (GDPR) is a comprehensive privacy law created by the European Union (EU) which harmonizes data protection laws across the EU states and reinforces the protection of personal data for EU Citizens conducting business all over the globe.
Our customers’ data security and data privacy are of utmost importance to WhiteHat. We have taken the necessary steps, working with cross functional internal teams, vendors and external counsel, to comply with the requirements of the GDPR. Here’s how we did it:
Employee training and awareness is key to dealing with major changes in the regulatory landscape. Although personal EU citizen data is not collected or used by WhiteHat products or in the course of performing WhiteHat services, to ensure all WhiteHat Security employees are aware of the applicable GDPR guidelines and requirements, we have established an employee training program. General awareness training of GDPR requirements has been provided to all current WhiteHat employees and will be mandatory for all future hires. Specialized role and region-based training is also provided to ensure our employees have the appropriate knowledge and understanding of the new regulation to support our customers the best way possible.
WhiteHat offers customers robust privacy commitments through Standard Contractual Clauses. To extend our privacy commitments we have created Data Processing Addendums (DPA) to include specific provisions to assist customers in their compliance with the GDPR. We have also signed DPAs with our existing vendors and service providers who may deal with EU citizens’ personal data.
Personal data is not collected or used in our products or during the performance of our services. Nevertheless, as a matter of best practice we have incorporated Data Privacy by Design principles and Data Privacy Impact Assessments in our SDLC process to ensure appropriate care is taken as we are building new features in our existing products and services, as well as when we develop new solutions. Customer data privacy and security is our highest concern, and we are committed to fulfill the responsibilities entrusted to us.
We have implemented procedures to address Data Subject Rights requests related to access, erasure, portability and rectification of personal data. Our formal procedures provide transparency into our process and allow us to respond to Data Subject Rights requests as required by the GDPR. To make a requests or inquiries related to treatment of personal data by WhiteHat, please submit the request via email to firstname.lastname@example.org.
We have enhanced our already robust incident reporting mechanism to incorporate GDPR requirements. We formalized a process to report privacy incidents to the Privacy Leader at WhiteHat through email@example.com, and we have established a procedure to report data breaches within 72 hours of breach discovery as required by GDPR articles.