What Is GDPR?
On May 25, 2018, a new European privacy regulation called the General Data Protection Regulation ("GDPR") will come into effect. It will apply to all companies selling to and storing personal information about citizens in Europe and provides such citizens with greater control over their personal data and assurances that their information is being securely protected. As a company that will be required to comply with GDPR, Everbridge has begun the process of planning for the regulation in time to meet the effective date.
What EU Citizen Data Does Everbridge Process?
Recognizing the sensitivity of the customer data to which Everbridge may have access, data privacy has long been an area of focus for us. Everbridge customers can upload contact information for the individuals that they choose to communicate with using Everbridge's products. These individuals include employees, residents, contractors, visitors, etc. Any data processing performed by Everbridge is done at the initiative of our customers when they are utilizing our system for critical event management. Everbridge does not process customer data in any other way or for any other reason. Customers have complete control over the data which is uploaded into Everbridge's contact stores, and the customer chooses the location where its data will be stored. Everbridge does not access that data except as specifically requested by a customer, and all such data can be deleted or modified by a customer directly at any time. Upon expiration of a customer relationship, all customer data is deleted within 30 days. This control over the data enables customers to directly upload, modify and delete individual contact information as appropriate based on customer requirements.
What Is Everbridge Doing to Comply with GDPR?
As part of our compliance initiative, we are reviewing our business processes and forms to confirm our compliance with the new requirements, including an individual's right to access their personal data, right to be forgotten, right to data portability, and the right to be notified of a breach. Everbridge's systems, however, will not need to be modified to comply with many of these key aspects of GDPR.
We are also engaging in several privacy by design activities including data mapping and determining what data needs to be kept so that we do not keep more information than is necessary, and we remove data that is no longer used.
We are developing and implementing safeguards throughout our infrastructure to help contain any security breaches. Such safeguards will guard against data breaches and will ensure that Everbridge will be positioned to take quick action to notify individuals and authorities in the event that a breach does occur. In addition, we are reviewing and updating our privacy statement and disclosures and breach response plans where necessary to ensure compliance with the GDPR requirements.
What Does Everbridge Do to Protect Customer Data Today?
Everbridge's security framework is based on National Institute of Standards and Technology(NIST) Special Publication 800-53 – Security and Privacy Controls for Information (maps to ISO 27001), and our security and data privacy controls and procedures are assessed annually by accredited third party audit firm under Statement on Standards for Attestation Engagements No. 16 (SSAE 16). These standards and processes already in place will make Everbridge's compliance with GDPR that much easier.
Everbridge complies with current EU legislation, including the Data Protection Directive 95/46/EC, the UK Data Protection Act, and the German Federal Data Protection Act (Bundesdatenschutgesetz), and was previously certified under the EU-US Safe Harbor. After invalidation of the Safe Harbor, Everbridge employed the EU Standard Contractual Clauses until becoming certified under the EU-US Privacy Shield in November 2016. Everbridge complies with the 7 Privacy Shield principles: Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability. Many of these principles have direct counterparts under GDPR, and will assist our efforts in achieving full compliance by May 2018.