Are you the CIO of your company?

  • What is GDPR?
    What is GDPR?

    The General Data Protection Regulation (GDPR) is a European privacy regulation that went into effect on 25th May 2018. The GDPR, which replaces the EU Data Protection Directive, aims to consolidate data protection regulations across the European Union (EU) by enacting a single data protection law enforceable in all member states. Regardless of where your firm is situated, the law affects European companies and any business that targets European citizens or collects, uses, or processes personal data of European individuals. In practice, this implies that the GDPR will apply to most enterprises that process personal data of EU citizens data, regardless of where they are based or where their processing operations take place.

  • What is personal data?
    What is personal data?

    The GDPR’s definition of personal data encompasses what we usually think of as Personally Identifiable Information (PII) – names, passport numbers, birth dates, and so on – as well as data that we may think of as non-PII, such as email addresses or device IDs.
    Please see Article 4(1) of the GDPR for a complete list of what the GDPR considers personal data. A subset of data known as “special categories of personal data” is also included in the definition of personal data. The GDPR defines special categories of personal data as a collection of data that includes race and ethnicity, religion, political viewpoints, health information, and so on.

  • Who is impacted by the GDPR?
    Who is impacted by the GDPR?

    The GDPR has a broad geographical scope. It applies not only to all EU-based enterprises that handle personal data but also to any non-EU based entity that processes personal data of EUbased individuals.
    Including those enterprises who
    a) Offer goods or services without requiring payment
    b) Monitor any activity within the EU
    GDPR strives to protect personal data at all stages of data processing, and it distinguishes between data controllers and data processors, both of whom have obligations.

  • What are the requirements of GDPR?
    What are the requirements of GDPR?

    Companies must take appropriate data protection measures to protect consumer data privacy from loss or exposure, according to the GDPR. The most significant principles and requirements governing the management of personal data are summarized in Article 5 of the
    GDPR:
    • Personal data collected must be handled in a fair, legal, and transparent manner. It should not be utilized in ways that an individual would not reasonably expect.
    • Personal data should only be collected for specific purposes. It should not be utilized in any way that is not compatible with those purposes. When collecting personal data, enterprises must explain why they need it.
    • Personal data must be kept up-to-date and accurate. It should only be held for as long as is necessary to achieve its goal.
    • Citizens of European Union have the right to view their 'personal data'. They can also request a copy, have it updated, erased, limited, or transferred to another organization without restriction.
    • Personal data should be processed in a way that ensures its security. This includes safeguards against illegal or unlawful processing, as well as loss, destruction, or damage caused by accidents.
    • Personal data should be maintained for no longer than is necessary. It should be stored only for the duration of the purpose for which it is processed.

  • GDPR & Twake
    GDPR & Twake

    Twake is built to protect personal data and online privacy. We applaud the recent EU rule that strengthens and unifies these safeguards for individuals under its authority. We thoroughly reviewed legal and technical implications of the GDPR to assure compliance and made all necessary updates to our products, services, and documentation. Twake clients enjoy the best control over their data. We even equip our website visitors with the tools they need to protect their information.
    Twake is 100% compliant with GDPR requirements.

  • What does Twake do to ensure full compliance with GDPR?
    What does Twake do to ensure full compliance with GDPR?

    • We conducted a security audit to ensure that all of our security policies and safeguards are GDPR compliant.
    • GDPR is covered by Twake’s organizational policies, including our data security and data privacy policies. Our entire team understands the importance of good data security and privacy standards across the board. This is a continuous process that we consider as critical to our project’s success.
    • We completed Data Protection Impact Assessments to identify and minimize any risks from our processing activities.
    • We store all our data in OVH Cloud servers located in France.
    • We ensured that our Privacy Policy outlines Twake and Linagora’s commitment to GDPR, is transparent about how we use personal data, and informs individuals on how to exercise their data subject rights.
    • We are establishing and creating the operational procedures necessary to support an individual’s rights to access, review and delete any of their data that we store.
    • As a processor and controller of personal data, we are keeping accurate records of our processing activities.
    • Cookie notifications can be tailored to meet the legal needs of each country or region.
    • We have strict measures to protect your personal and professional data. Concerning your password and personal data specifically, passwords are hashed using PBKDF2, your data is encrypted before it is sent to the database (encryption at rest) and we use TLS encryption for communications (encryption in transit).
    • The larger issue of data security is more of a long-term commitment than a one-time project. In an ever-changing landscape of regulation and real-world risks, Twake remains committed to data security and privacy, and we will ensure that our customers are safeguarded.

  • How can Twake help your company to comply with
    the GDPR?
    How can Twake help your company to comply with
    the GDPR?

    We are trying to ensure that our products and services allow our clients to comply with the GDPR. This includes:
    • Continuing to improve the security features in our products as well as our enterprise and infrastructure’s security framework, as detailed in the previous section.
    • Ensuring that our customers’ contract with us allow them to comply with the GDPR’s standards for appointing data processors, as well as ensuring that our own contracts with data processors are compliant.
    • Continually reviewing GDPR compliance recommendations in general and changing our strategy as necessary.

GDPR Compliance Checklist for Cloud Security

gdpr-compliance-picture

The GDPR requires businesses to secure their customers’ and employees’ personal data at all phases of the data processing lifecycle.

Complying with this obligation has become increasingly difficult as more firms adopt and use cloud-based communication and collaboration solutions. According to a recent survey, 60% of businesses aim to entirely forsake on-premises solutions in the next two years in favor of cloud-based, Software-as-a-Service (SaaS) technologies.

Smaller businesses are also going to the cloud: a SMB’s averagenumber of cloud apps was predicted to be 7 in 2017. It is not easy to pick cloud-based services that help businesses ensure and maintain GDPR compliance.

When looking for a service provider, businesses must consider a variety of technological and legal factors.

Our checklist helps you with summarizing the 5 most crucial things to keep in mind.

1. What encryption technologies are utilized by the provider?

While the GDPR does not mention encryption methods specifically, the way encryption keys are stored is critical in determining if re-identification of individuals from the leaked encrypted material is achievable with reasonable amount of effort. With in-transit and at-rest encryption, Twake offers maximum security to the personal data of its users. We have also included endto-end encryption in our short-term roadmap to provide iron-clad security to our users and their personal data.

2. What other security and control options does the service provider provide?

Beyond robust encryption, the supplier must take additional precautions to protect their users’ data. Account security should be treated seriously first and foremost. This includes securely managing user authentication, ideally using zero-knowledge approaches. There are many levels of security when it comes to how a service provider handles your password. The “zeroknowledge” method provides the maximum level of password security: your provider has no knowledge of your password. Your password will not be compromises in this instance if the service provider is hacked or if an employee leak occurs. According to surveys, employee errors or malicious workers account for a major part of data breaches. These occurrences might include lost or stolen work devices, as well as intentional data leaks by personnel. To reduce the dangers of these incidents, make sure your provider has robust data control and governance capabilities. You should look for the following features: Permission management, including the ability to set granular access levels to personal and other sensitive data, as well as the ability to monitor staff activities related to file management, such as those who opened or deleted files (audit trails), and the ability to create and monitor internal security policies related to data security, and backup options such as deleted file recovery, and device control tools.

3. Is the supplier upfront about where the data is stored and how it is protected?

Personal data must be processed lawfully, fairly, and transparently, according to the GDPR. This is true for companies that manage personal data (data controllers) as well as the cloudbased services they use (data processors). The data controller, on the other hand, must ensure that the third-party services they utilize meet these rules, as they bear the ultimate responsibility and obligation for data protection under the principle of accountability. The controller should be able to demonstrate that all the principles governing the processing of personal data have been followed. Aspects such as data residency are also critical. Although the GDPR does not specify whether the data should be stored in the EU, if your supplier maintains your data in EU datacenters, GDPR compliance will be easier. Additional guarantees are required when the provider employs third-country datacenters or sub-processors to ensure that your data is protected to the same high standards that the GDPR mandates in the EU.

4. Is the company able to produce legally binding data protection documents?

The GDPR streamlines data protection legislation across all EU member states to provide EU residents more control over the privacy of their data. This means that all businesses who handle the personal data of EU citizens must follow its stringent guidelines. If you are looking for a cloud solution provider situated in the EU (for example Twake is located in France and so are our servers), look for evidence that the company has begun to prepare their data management systems for the GDPR. This includes, among other things, providing the appropriate data protection documentation, such as a clear and easy-tounderstand Privacy Policy and Terms of Use, as well as a Data Processing Agreement that their business clients can sign. If the cloud provider is not based in the EU, you will need to look for additional evidence. Ascertain if the company is based in a country that has received a European Commission data protection adequacy ruling or provides other acceptable contractual guarantees that establish, they have the same high level of protection as EU Companies (for example, Standard Contractual Clauses adopted by the European Commission, or Binding Corporate Rules (BCRs) approved through the method specified in GDPR Article 47.

5. How does the company demonstrate that the aforementioned procedures are followed?

The GDPR is revolutionary because it takes a risk-based and by-design approach to data protection and privacy. Companies must analyze the risks associated with personal data management and take necessary technical and organizational measures to mitigate them. They must also be able to demonstrate that they took the essential precautions in light of the dangers. This is true for whatever cloud provider you are considering. Despite the fact that the GDPR is a new regulation, you can ask for further data protection agreements.

Available everywhere

 
logo-app-store logo-google-play

Mobile App

logo-chrome logo-safari logo-edge logo-firefox

Web App

logo-apple logo-windows logo-linux

Desktop App

logo Linagora

Twake development is powered by Linagora

arrow up to top

UP