1. Everbridge
  2. Knowledge
  3. Administration
  4. Security

Everbridge and General Data Protection Regulation (GDPR) FAQ

Updated
Terry Branoff
Optimized Resolution Standard Resolution High Resolution

What Is GDPR?

On May 25, 2018, a new European privacy regulation called the General Data Protection Regulation ("GDPR") came into effect. It applies to all companies selling to and storing personal information about citizens in Europe and provides such citizens with greater control over their personal data and assurances that their information is being securely protected. As a company that is required to comply with GDPR and other applicable privacy regulations, Everbridge has implemented and continues to maintain processes and controls to meet these requirements.

What EU Citizen Data Does Everbridge Process?

Recognizing the sensitivity of the customer data to which Everbridge may have access, data privacy has long been an area of focus for us. Everbridge customers can upload contact information for the individuals that they choose to communicate with using Everbridge's products. These individuals include employees, residents, contractors, visitors, etc. Any data processing performed by Everbridge is done at the initiative of our customers when they are utilizing our system for critical event management. Everbridge does not process customer data in any other way or for any other reason.

Customers have complete control over the data which is uploaded into Everbridge's contact stores, and the customer chooses the location where its data will be stored. Everbridge does not access that data except as specifically requested by a customer, and all such data can be deleted or modified by a customer directly at any time. Upon expiration of a customer relationship, all customer data is deleted within 30 days. As part of the cancellation process, the parties document who is responsible for destroying customer data by specifying whether the customer or Everbridge will perform data destruction.

This control over the data enables customers to directly upload, modify and delete individual contact information as appropriate based on customer requirements and to support data-subject rights such as deletion and restriction of processing.

What Is Everbridge Doing to Comply with GDPR?

As part of our compliance initiative, we are reviewing our business processes and forms to confirm our compliance with the new requirements, including an individual's right to access their personal data, right to be forgotten, right to data portability, and the right to be notified of a breach. Everbridge's systems, however, will not need to be modified to comply with many of these key aspects of GDPR.

We are also engaging in several privacy by design activities including data mapping and determining what data needs to be kept so that we do not keep more information than is necessary, and we remove data that is no longer used.

We are developing and implementing safeguards throughout our infrastructure to help contain any security breaches. Such safeguards will guard against data breaches and will ensure that Everbridge will be positioned to take quick action to notify individuals and authorities in the event that a breach does occur. In addition, we are reviewing and updating our privacy statement and disclosures and breach response plans where necessary to ensure compliance with the GDPR requirements and with other applicable privacy laws.

Data subjects can exercise rights such as access, deletion (erasure), restriction of processing, or certain opt-outs by submitting a privacy request to Everbridge. Requests can be submitted using the instructions on the Everbridge website for privacy or data-subject access requests, or by emailing privacy@everbridge.com. In a request, individuals should clearly describe the action they are seeking (for example, access to their data, anonymization or deletion of their personal data, restriction of processing, or "do not sell or share my personal information") and provide sufficient identifying information (such as their name and contact details and, where relevant, their residency) so that Everbridge can perform a reasonable search for their data.

After Everbridge receives a data deletion, erasure, or similar privacy request, Everbridge will acknowledge receipt, conduct a reasonable search for personal data associated with the identifiers provided, and inform the requester of the results. If data is located,

Everbridge does not sell customer data; customer data is used only for the purposes of delivering Everbridge services.

What Does Everbridge Do to Protect Customer Data Today?

Everbridge's security framework is based on National Institute of Standards and Technology (NIST) Special Publication 800-53 – Security and Privacy Controls for Information (maps to ISO 27001), and our security and data privacy controls and procedures are assessed annually by an accredited third party audit firm under Statement on Standards for Attestation Engagements No. 16 (SSAE 16). These standards and processes already in place will make Everbridge's compliance with GDPR and other applicable privacy and security requirements that much easier.

Everbridge complies with current EU legislation, including the Data Protection Directive 95/46/EC, the UK Data Protection Act, and the German Federal Data Protection Act (Bundesdatenschutgesetz), and was previously certified under the EU-US Safe Harbor. After invalidation of the Safe Harbor, Everbridge employed the EU Standard Contractual Clauses until becoming certified under the EU-US Privacy Shield in November 2016. Everbridge complies with the 7 Privacy Shield principles: Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability. Many of these principles have direct counterparts under GDPR, and will assist our efforts in achieving full compliance by May 2018.

Was this article helpful?
0 out of 0 found this helpful