Domino’s Case Study
Food Protection and Defense Institute
What is GDPR?
The General Data Protection Regulation (GDPR) is a series of laws that were approved by the European Union Parliament in 2016. The purpose of the GDPR is to provide a set of standardized data protection laws across all the member countries. The new regulations will give EU citizens greater control over their data, including the ability to export it, withdraw consent and request access to it. It also makes data protection rules identical throughout the EU, allowing for the easier transfer of data throughout the European Union. This regulation will take effect on May 25th, 2018, and will affect any company that does business with Europe, whether they are based in the EU or not.
What does this mean for CoSo Cloud Customers?
With the new regulation, it is important to define the roles that CoSo Cloud and our customers play in the handling of personally identifiable information, or PII.
Because our customers own their data, they are considered the data controller. A data controller is the entity that determines the purposes, conditions and means of the processing of personal data. CoSo Cloud plays the role of the data processor, which is an entity that processes personal data on behalf of the controller.
CoSo’s customers must get explicit consent to use personal data of any of their users before storing or processing their sensitive data. The data controller is required to be able to demonstrate that consent was given. Existing consents may still work, but only provided they meet the new conditions.
To fully protect personal data, you need to know what data you are collecting, how you are collecting it, what you are doing with it, who is processing it and where, and how you are protecting it – whether at rest, in use, or in motion.
The Adobe Connect software team at Adobe is aligning with wider GDPR-readiness efforts that are detailed at adobe.com/go/gdpr. As a result, Adobe will be focusing on supporting data access and deletion requests in the upcoming release of Adobe Connect 9.8.
GDPR readiness: A shared responsibility
GDPR is a shared compliance journey, with the regulation setting out the obligations for the various parties. Both the brand or “data controllers” as well as technology providers or “data processors,” contribute.
Your customers’ rights as data subjects
A key part of GDPR is letting individuals choose what happens to their personal data. Individuals can ask companies to:
- Access and correct errors
- Delete personal data
- Object to its processing
- Export it
Your role as a data controller
As the data controller, you will determine the personal data we process and store on your behalf. CoSo Cloud may process personal data for you depending on the products and solutions you use and the information you choose to send to your Adobe Connect meeting room. As a controller, you will provide privacy notices to individuals who engage with your brands detailing how you collect and use information, and obtain consents, if needed. If those individuals want to know what data you maintain about them or decide they want to discontinue their relationship with you, you will respond to those requests.
Our role as a data processor
When CoSo Cloud provides software and services to a customer, the company acts as a data processor for the personal data the customer asks us to process (and if desired stored), as part of the services provided. As a data processor, our company only processes personal data in accordance with the customer’s permission and instructions as set out in the Agreement between the parties. In cases where assistance is needed with any individual consumer requests, the company will partner with you through processes, products, services and tools to help you respond.
What has CoSo Cloud done to prepare for GDPR?
CoSo Cloud meets and fulfills the obligations of a data processor, as defined by GDPR. We at CoSo have always maintained our operations at the highest possible level of privacy and security. We continue to operate this way in alignment with the requirements and practices dictated by GDPR. We have updated our Privacy Policy to simplify the language for all users, and reviewed our internal operational policies to ensure we comply with the regulation.
What if you are a US company with no EU presence, should your company care about GDPR regulations?
The answer is YES. Even if you don’t care about it, your users in the EU do. For example, if you offer training programs or meetings via Adobe Connect, and EU citizens enter or attend your offerings, you are processing data of those EU citizens and must comply with the privacy standards of GDPR.
Bottom line: If you process EU citizen data, which most U.S. businesses do, this law applies to you.
How does CoSo provide GDPR protection?
CoSo Cloud is certified under the EU-US and Swiss-US Privacy Shield frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, processing, and cross-border transfer of personal data from the EU and Switzerland to the United States. Privacy Shield was established in early 2016 when it replaced The International Safe Harbor Privacy Principles—which were developed to prevent private organizations within the European Union or United States from accidentally disclosing or losing personal information—with stronger requirements for the handling of personal data and protection of individuals. The new set of principals were developed particularly to help organizations comply with the General Data Protection Regulation (GDPR).
By adding Privacy Shield to a growing list of certifications that also includes SOC 2 + HITRUST certification and FedRAMP ATO, CoSo continues its strong commitment to ensuring its customers in the healthcare, pharmaceutical, financial, government and other highly regulated sectors can conduct high consequence virtual training and meetings safely and securely, knowing the CoSo Secure Private Cloud meets all regulatory compliance requirements.
CoSo Cloud demonstrates the strictest adherence to the protection of all highly sensitive data stored in Adobe Connect meeting rooms within CoSo Cloud global data centers. CoSo Cloud commits to securing your data using industry leading methodologies and encryption standards.
CoSo integrates the highest standards of data protection, privacy, and security requirements into our infrastructure, deployment, and product design and development methodologies. In addition to meeting or exceeding the controls required by FedRAMP, GDPR, Privacy Shield, SOC II + HITRUST, and HIPAA CoSo Cloud’s entire development process ensures we are embedding privacy requirements from conception to launch, to validation. We use the strictest privacy engineering techniques to evaluate and build better offerings to turn privacy by design policies into actions and tangible improvements.
CoSo Cloud commits to never selling or releasing customer data, analytics, or usage to third parties.
How is CoSo Cloud different?
As your trusted provider of virtual training and collaboration services, if your company receives a Data Subject Request (DSR) for export or deletion, CoSo Cloud will assist with the request — regardless of the version of Adobe Connect you have installed. Our Privacy Team will work with you throughout the process to ensure your compliance with the regulation.
What can you do to prepare for GDPR?
Any customer using the CoSo Secure Private Cloud should ensure users click on a Compliance Notice within their meetings to get explicit consent when accessing their environment. CoSo Cloud customers can reach out directly to their Customer Success Manager or CoSo Support on how to implement the Compliance Notice functionality.
Changes every company will need to make to become compliant with GDPR include:
- Updating your Privacy Policy to indicate what information you store about your customers, and how your company uses it.
- Changes to your sign-up process to ensure explicit consent is given to collect user data.
- Have a process in place to respond to DSR requests. These requests can include exporting or deleting user data.
- Make sure that appropriate data security is in place to prevent unauthorized access to customer data, and make those security measures very explicit. GDPR calls this “Data protection by design and by default.” This includes binding commitments on what you’ll do if a data breach occurs. In most cases this will require you to have a Data Processing Addendum (DPA) in place with your customers. This may be the the most expensive and time-consuming part of the process.
