GDPR Compliance @ Changepoint 2018-05-25T21:54:26+00:00

GDPR Compliance @ Changepoint

updated on May 10, 2018

General Data Protection Regulation (GDPR) is a data privacy regulation that goes into enforcement on May 25, 2018. GDPR is the updated version of Directive 95/46/EC, which was enacted in 1995, and will more effectively address the protection of sensitive information in the current technical landscape.  GDPR covers the protection of Personal Identifiable Information (PII) of EU citizens that is processed, stored, and managed by organizations.

All of our Changepoint products (Daptiv PPM, Changepoint, barometerIT) are classified as “Processors” under the GDPR guidelines. Since we do not determine the purpose and means of the data that is inputted and processed by our products, we cannot be considered a “Controller.” We have validated that Changepoint is meeting all of the GDPR criteria for classification as, and associated responsibilities for, the Processor designation. If you have any questions or require evidence of our compliance, please reach out to us. We will provide you with the information necessary to demonstrate our full compliance with GDPR across all of our lines of products.

What Is Changepoint Doing?

We have evaluated our systems, applications, policies, and services to ensure that they are all GDPR compliant. We have validated and mapped our controls to GDPR. Please know that we are well positioned to meet the revised standards. In part, we have in place:

ISO27001: 2013 Certification for all of our products (Daptiv PPM, Changepoint PSA, and barometerIT). This is an internationally recognized standard that covers the protection and management of sensitive information and all the various components.

Privacy Shield Certification for all of our products.  This includes the Privacy processes and procedures that support the current regulation, Directive 95/46/EC.  Our Privacy Policy can be found here: https://www.changepoint.com/privacy/

Cloud Security Alliance (CSA) STAR certification for our Daptiv PPM product.  This is the most respected Cloud-focused security standard in the industry.  While ISO27001: 2013 is a rigorous security standard, STAR certification is even more so. Not only does it have more controls than ISO27001: 2013, but you must be certified for ISO27001: 2013 before you can even be audited for STAR certification.

Updates 

We are prepared for GDPR to come into enforcement in May. We have created policies outlined below and have made the changes necessary to our handling of data to be compliant. We would still appreciate any questions or feedback on our GDPR preparedness.  We will continue to use this page to communicate any changes that will be of interest to our customers.  Please let us know if you have any questions by emailing them directly to our Data Protection Officer at informationsecurity@changepoint.com.

Timelines

The following timelines are key milestones for our efforts to determine how PII is used throughout our products and our organization as well as making the appropriate changes to meet GDPR requirements

EVALUATE all of our internal business areas – November 2017
EVALUATE all of our polices and processes – November 2017
EVALUATE all our products – December 2017
COMPLETE necessary changes to policy & processes – January 2018
COMPLETE necessary changes to products – February 2018
REVALIDATE the overall preparedness of Changepoint – March 2018
GDPR is enforced – May 2018

Frequently Asked Questions 

Q: What is a DPO?
A: DPO stands for Data Protection Officer and is a requirement of GDPR.  Each organization must have a DPO who is responsible for compliance with GDPR.

Q: How do I contact Changepoint’s DPO?
A:

You can contact our DPO by email at informationsecurity@changepoint.com

Or by mail at

Information Security

1111 3rd Avenue, Suite 700, 98101

Seattle, Washington, United States of America

Q: Will there be any downtime for the products? 
A: No, any updates that are deemed necessary during the evaluation will occur during normal maintenance or update schedules.

Q: How is GDPR different from security Changepoint already has in place?
A: Changepoint is already ISO 27001:2013 and Cloud Security Alliance (CSA) STAR certified, placing us in a great position to become GDPR compliant.  While these standards do not address all of the requirements of GDPR a majority of what is required for compliance is already in place.

Q: What is Changepoint doing to become GDPR compliant?
A: Changepoint is evaluated all our commercial products, policies, and internal processes and created new policies and procedures to be in full compliance by the May 2018 deadline. We have been working with our vendors and GDPR experts to interpret how the regulation applies to us directly, as well as how we can enable our customers to comply when using any of our commercial applications.

Q: Do you have a roadmap for upcoming changes?
A: We have completed the changes to our policies and procedures and evaluated our products. We are still looking for any questions or feedback on our GDPR preparedness. We are committed to making any necessary changes prior to the May 2018 deadline.

Q: Where is Personally Identifiable Information (PII) currently stored?
A: We require a very limited amount of PII for our customers to use our applications (name and email).  Depending on the application being used and the customers country of preference, data is stored within the applications, which are housed:

  • Within Amazon Web Services (AWS) (customer’s choice of Northern Virginia or Dublin, Ireland)

OR

  • One of our data centers (Toronto, Canada or Seattle, Washington, USA)

OR

  • On premise at the customer locations

Q: Are there any options in the current deployed versions of Changepoint’s products to meet these requirements or do you plan to deploy specific versions to comply with these requirements?
A: At this point, we are still reviewing the scope of the regulation as it applies to Changepoint’s products.

Q: What about the display of warning text when asking for PII in Changepoint applications?
A: This will be one of the areas that will require us to update our products.  We don’t require much PII, which simplifies our efforts.  This change is fairly simple to apply throughout our product line.

Q: What about deleting a person’s PII in your applications and historical backups?
A: We have Privacy Processes in place as part of our privacy policy, so we have the framework already in place to allow someone to opt out.  We will be working towards making this process more efficient for us and more timely for the individual wanting to be anonymized.

Q: What PII data do Changepoint products require?
A: Changepoint has three unique products: Daptiv PPM, Changepoint PSA, and barometerIT.  Each of these products requires a very minimal amount of PII in order to be used, typically an  email address for registration and password changes.  While our requirements of PII are minimal we are working towards lessening the need for that data as well as obfuscating the data whenever possible.

Q: Can I remove my PII from your products?

A: Yes, unless there is an overriding exception as outlined in the GDPR, such as medical record requirements and other legal data record requirements. We have policies in place to verify the storage requirements with the Controller of the data and will work with them to anonymize or delete the data without undue delay.

Q: Are Changepoint vendors and sub vendors required to be compliant? 
A: Yes.  However, we do not process customer or user data so we don’t outsource those services.  We may use some data, such as email, for marketing purposes but we have a well-established process for users and customers to opt out of that process from the start.  To be extra cautious, we are working with our vendors to add addendums to our contracts that requires them to be GDPR complaint in addition to the confidentially agreements that are already in place.

Q: We as a company store PII in one or more of your products, how can we comply?
A: If you have data that qualifies as being regulated by GDPR (for example, you uploaded a document with PII for a GDPR-covered person or persons) it is up to the customer to remove that data.  Since we do not process or access customer data, we do not inherently know if your data is GDPR regulated.  Our most significant undertaking to be GDPR compliant concerns data that is uploaded or input by customers. We are working on solutions that will allow customers to anonymize or remove GDPR regulated data using automated solutions but as of today the process would be manual.

Q: Where can I find more information on GDPR?
A: You can find more information on the EU GDPR website and the final version of the text.