You’ve probably heard about the General Data Protection Regulation (GDPR), the new European Union data privacy and protection law that strengthens and expands the privacy rights of EU citizens. Organizations operating in the EU or handling data of EU citizens need to be compliant with the GDPR by May 25th, 2018. Many businesses, including Front, are in their final stages of preparation to ensure GDPR compliance.
Data privacy and security have always been top priorities for Front. We’re optimistic about the changes the GDPR will bring to the industry and the opportunity it gives us to strengthen our commitment to user privacy and data protection. We’re taking steps to ensure our compliance with the GDPR by May 25th as both a data controller and data processor.
We’ve outlined the policy, product, and operational changes you can expect from Front in the next month to comply with the GDPR.
Under the GDPR, organizations are recognized as data controllers, data processors, or both. The requirements differ depending on your role in the data collection and handling process. Front is both a data controller (of data about our customers) and a data processor (of our customers’ data). Any Front customers managing the data of EU citizens are also data controllers, with Front acting as one of their data processors.
The GDPR has defined comprehensive data protection principles to standardize how data is collected and processed across countries. These include clarification around what constitutes “personal data”, requirements for explicit user consent to collect their personal data, standardization around the security of personal data, and the expansion of user rights with respect to their personal data and the “right to be forgotten”.
Front has been working hard with GDPR experts to understand its requirements and their implications. We will update the following policies, operational practices, and product features by the May 25th deadline to achieve GDPR compliance.
Terms of Service: We’ll share our updated Terms of Service, which includes a new Data Processing Addendum with the Model Clauses required by the GDPR.
Privacy Shield: We’ve also completed the E.U.-U.S. and Swiss-U.S. Privacy Shield certifications to ensure adequate safeguards are in place for international data transfers.
Data Classification, Privacy Impact Assessment, & Security Risk Assessment: We’ve completed a comprehensive audit of our data and assets following the ISO-27001 standard. We’ve also completed our annual security risk assessment to identify and mitigate risks related to data breaches or other vulnerabilities.
Security & Incident Response Training: All Front employees attend trainings on our responsibility regarding security, availability, processing integrity, or confidentiality activities. Additionally, the Front team is trained on appropriate incident response procedures in the case of a data breach.
Data Usage: We’ve completed a comprehensive data audit to ensure we only collect data critical to business needs and will review our retained data regularly. We’ve also streamlined how we use personal data throughout our infrastructure to limit usage of data to only the necessary applications that allow us to operate our service.
Data Access, Portability, and Deletion: We’ll have a process that will allow customers to request that their data be corrected, exported, or deleted.
It’s critical that we find ways to establish trust on the Internet and that technology businesses operate with strong, transparent, and standardized security and privacy practices. As a global business founded in Paris and currently based in San Francisco, this effort is especially important to us. We believe the GDPR is a major step forward.
At Front, we take pride in our approach to data privacy and protection — and in our compliance with the GDPR. For new features and products we develop at Front, we incorporate “privacy by design” principles to carefully understand the privacy and security implications and ensure we build with them top of mind. As these new standards are put in place, we’re committed to meeting them to deepen the trust we’ve built with our customers to date.
We will complete the changes outlined above by May 25, 2018 and will notify Front account administrators when we update our new Terms of Service. To help you stay current, our Community page will be revised to reflect the latest information on Front’s GDPR compliance.
If you have any questions, please let us know. We’re here to help.