At Acquia, customer success doesn’t just mean building digital experiences. It also means security, privacy and compliance. Those might not be as flashy or exciting as a personalized website or decoupled application, but we can’t overstate their importance.
We continue to make security investments to provide our customers a robust and secure platform – with the required people, process and technology. This includes securing our platform by design, offering complementary security products and services, and a portfolio of independent third-party audits to validate our security program.
With that in mind, we are pleased to share that Acquia is ready for the General Data Protection Regulation (GDPR).
The General Data Protection Regulation is a data protection regulation that the European Union (EU) issued to replace the European Data Protection Directive of 1995. The GDPR will regulate the protection of personal data across the EU member states and will directly apply to all EU member states from May 25, 2018, forward without any additional actions by those states. The GDPR applies to organizations both inside and outside the European Union that are processing the personal data of data subjects who are in the EU, placing new obligations on these organizations.
GDPR is focused on the protection of the personal data of individuals in the European Union and strengthens the rights of these individuals under the currently existing data protection regulations, as well as giving new rights. Under the GDPR, personal data is defined broadly in Article 4 (1) as follows:
“[A]ny information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The definition of personal data in the GDPR has been expanded to include any single identifying point for a natural person to the already general use of personally identifiable information (PII) and personal data found in regulations and laws such as HIPAA, PCI, etc. Examples would be: name, email address, mail address, phone number, dynamic and static IP addresses. The effect on data collection is that the collection must be purposeful, with clear intent of use, transparent, as well as secure and legitimate, including receipt of an opt-in.
As a global company, Acquia processes the personal data of persons in the European Union as part of our product and service offerings to our clients, and is a controller for the personal data which it collects in its marketing, CRM, HR, finance and other internal systems.
We believe that the GDPR is an important step forward in standardizing data protection requirements across the member states of the European Union. Acquia has always seen the GDPR as an opportunity to further strengthen and deepen our commitment to data protection by building upon the requirements set forth by frameworks and standards that we support such as SOC 1, SOC 2, ISO 27001, PCI-DSS Level 1, HIPAA, FedRAMP and Privacy Shield.