What is GDPR?

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe to protect and empower all EU citizens data privacy, and to reshape the way organizations across the region approach data privacy. Unlike its predecessor, the GDPR will be directly effective in European Member States without the need for implementing legislation. For more information, follow this very informative GDPR course by internet security specialist Troy Hunt.

The GDPR is not only relevant for Europe but also applies outside of the EU whenever: (1) an EU data subject’s personal data is processed in connection with goods/services offered to him/her; or (2) the behavior of individuals within the EU is “monitored”.

Therefore, if your organization or business offers paid or free goods or services to anyone in the European Union member states then you need to adhere to GDPR. Here are four of the many possible indicators that your business is targeting individuals in the EU:

• You have a local office in one of the member states
• You provide your goods or run your service in one of the EU states’ languages
• Your website or application has an EU domain like .eu, .de, or .it.
• Your pricing includes EU currencies e.g. Euro, Danish krone  

GDPR measures at Platform.sh

As part of our measures we have implemented the following:

• Data Protection Officer: Appointment of a Security Officer who also holds the Data Protection Officer (DPO) role.
• Data Breach Policy: We have updated our data breach policy and procedures and have reviewed that all our suppliers that their breach notifications are at an acceptable standard.
• Consent: We respect your inbox just as we want ours to be respected. We’ve made sure that all our customers, users, and partners Opt-in to share their personal data with us.
• Data Governance: Having internally audited all of our suppliers on their internal security and their GDPR compliance status, we can confirm that our in-scope suppliers are GDPR compliant.
• Data Protection by design: We’ve implemented policies in the company to ensure all of our employees follow the necessary training and protocols around security. In addition, privacy protection is part of every project during instantiation.
• Enhanced Rights: We’ve aligned the language of our policies as well as our product and services to adhere to GDPR regulations.
• Personally identifiable information (PII): We’ve implemented key actions to encrypt and protect personal identifiable information

The most penalizing parts of the GDPR are the ones the concern data breaches, so possibly, the most important thing of all is what we have been doing all along: creating a secure service. There are many checkboxes that need to be checked. But if you want to keep in mind just a single one, this would be it: Don’t get hacked.

Platform.sh has many security layers that make attacks much harder than on comparable services. Starting from our read-only hosts and containers, through to our auditable and reproducible build-chain, the static-analysis based protective block, our dynamic WAF, our HTTPS by default, and our “no-insecure-protocols” iron-clad policy. Running your workloads on Platform.sh means your systems are much less likely to get hacked, and therefore you are much less likely to be liable under these very stringent new policies.

How does this affect our partners and customers?

With billions and billions of personal data compromised out of online systems worldwide since 2004, individuals stand to be better protected against fraud, identity theft, and blackmail with GDPR.

At Platform.sh, we will ensure we are specific and unambiguous in the way we ask you to share your personal data. You also have the right to access or erase any of your own personal data we have recorded in our systems. Any personal data you supply to Platform.sh is held in accordance with the GDPR and, when applicable, you can assure your clients doing business in the EU that your backend provider complies with the GDPR.

Guidelines on how to make your workloads GDPR ready

You can rely on many of the things we do to satisfy your GDPR requirements. We provide infrastructure, however, and many of your compliance questions will occur at the application level. We give you a lot of control: you can run anything on Platform.sh, including insecure code. You can turn off HTTPS. You can put your administrator password on a post-it. These items are beyond our control.

In order for your workload to be compliant with GDPR, these are key steps you should consider for your application:

• Use a GDPR compliant hosting service (Done!)
• Do an impact analysis: what personally identifiable information do you store and where. Platform.sh’s services will likely only be a part of that.
• Consider encrypting any collected personally identifiable information (PII) at the application level, implement pseudonymization where you can.
• Consider applying pseudonymization to data that is present in development and staging branches (run a scrubbing procedure after you clone production).
• At the application level, delete any personally identifiable information that is no longer needed.
• Put the required procedures in place to answer demands for erasure or modification.
• Make sure you know who in your organisation has access to Platform.sh’s environments, and use our fine-grained controls to apply the principle of least privilege.
• Encrypt the transport (e.g. the use of HTTPS instead of HTTP) of any personally identifiable information (Platform.sh uses HTTPS default, but allows you to use HTTP, you should review your configuration).
• Treat personally identifiable information as opt-in and not opt-out.
• Verify that all users gave explicit content for any personally identifiable information processed by your organization.
• Ensure that any cross-border transfers of personally identifiable information comply with the GDPR requirements (we are talking here about things your application does, you can rely on our infrastructure to be compliant for what it is responsible for).
• Verify that you meet the new rules concerning children’s personally identifiable information.
• Review and update your processes and policies to comply with the GDPR requirements such as Privacy by Design, data governance and transfer, data portability, automated decision making, ability to amend/rectify stored data, and pseudonymization

It is also important to prepare for the necessary steps within your company with regard to data breaches. For this we recommend that existing users map out the flow of any personally identifiable information their application sends outside of Platform.sh’s systems. Whilst Platform.sh helps companies be ready for GDPR, you must verify that your company is fully GDPR compliant.

To help you on this journey we are publishing blog posts on the GDPR that go into much further detail.