On May 25, 2018 the General Data Protection Regulation (GDPR) takes effect in the European Union (EU). This new regulation imposes broad new data privacy protections for EU individuals and applies to any company that collects or handles EU personal data, regardless of the company's location.
Since we have only 5 more months ahead of us, I would like to share with you how Aurea is going to help our CRM and Email Marketing customers comply with GDPR through robust privacy and security protections in our products.
For the sake of simplicity I have only picked the most relevant topics with regards to GDPR compliance.
Encryption of personal data at rest and in transit
- For our SaaS customers (CRM.web, Campaign Manager, hosted List Manager) we will continue to support client-to-server and server-to-server communication via SSL.
On top of AWS' strong security and compliance framework we will offer an optional enforcement of database file encryption
- For our on premise customers we recommend to take appropriate measures with regards to database file encryption (TDE) for their MSSQL and Oracle databases
Specifically for CRM.web offline and CRM.client for Windows we suggest to look into disk encryption solutions such as BitLocker or 3rd party database file encryption for MSSQL Express (CRM.web offline) and SQLite (CRM.client).
CRM.pad and CRM.client for iPhone have built in AES encryption.
- For our on premise customers we also recommend to enforce secure client-to-server and server-to-server communication via SSL
- For our on premise List Manager customers we will provide a software update to support Open SSL
In addition GDPR grants extensive rights to individuals as to how they can gain access to, request updates, or even deletion of their personal data.
- Individual’s Right to Access and Review
- Individual’s Right to Update Data
- Individual’s Right to Erasure
- Individual’s Right - Data Portability
- Individual’s Right - Commonly Used Format
- Individual’s Right - Consent
- Individual’s Right - Data Retention
All of these individual's rights requirements are already supported today by all our CRM and Email Marketing products. However, some of them may require a certain amount of customizing.
Some of you might wonder why there is now another regulation besides the Privacy Shield agreement between the US and the EU. So, let's take a quick look at that as well, because it is important to understand the differences.
The General Data Protection regulation is a set of laws due to be enacted in the EU in 2018. Privacy Shield is an agreement between the EU and US allowing for the transfer of personal data from the EU to US.
The GDPR has specific requirements regarding the transfer of data out of the EU. One of these requirements is that the transfer must only happen to countries deemed as having adequate data protection laws.
In general the EU does not list the US as one of the countries that meets this requirement.
Privacy Shield is designed to create a program whereby participating companies are deemed as having adequate protection, and therefore facilitate the transfer of information.
In short, Privacy Shield allows US companies, or EU companies working with US companies, to meet this requirement of the GDPR.
In the upcoming weeks we will publish dedicated GDPR Whitepapers to share more information on our activities and to make sure you have all the information you need to be ready on May 25, 2018.