General Data Protection Regulation (GDPR), Article 28 (paragraph 1):
“Where processing is to be carried out on behalf of a data controller, the data controller shall use only processors (subcontractors) providing sufficient guarantees that appropriate technical and organisational measures will be implemented to ensure that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject. "
When the General Data Protection Regulation (GDPR) goes into effect this May one of the key areas of impact will be the relationship between businesses and their technology partners, as partners will have greater responsibility to protect business’s data.
Merrill’s reason for existence centres around ensuring clients can securely share their most sensitive information on our SaaS platform. Therefore, we take compliance very seriously - we know the negative impact breaches can have.
Although the responsibility for your organisation’s GDPR compliance lies with your business, here are 6 compliance items we can help you check off your 3rd party audit list:
- What organisational measures has Merrill Corporation implemented to ensure stored data meets the requirements of the GDPR?
Merrill Corporation is ISO/IEC 27001:2013 certified; the best-known standard providing requirements for an Information Security Management System (ISMS). Merrill has established security standards, methodologies and processes to support the ISMS program. Merrill’s ISMS serves as the foundation for all business security programs.
- What technical measures has Merrill Corporation implemented to ensure stored data meets the requirements of the GDPR?
As a multi-tenant cloud application, Merrill DatasiteOne uses the latest cloud security best practices:
- User information, application data and logs are stored and maintained separately
- Passwords are treated with cryptographic hash algorithms
- Customer supplied files are encrypted at-rest with AES 256-bit encryption and backed up according to a pre-defined schedule
- In-transit data is secured via 256-bit SSL encryption
- Events are captured, analysed and actioned in real time
- Customer files are accessed only upon request and supported by documented access review and change management processes
- Upon project closure, project files are deleted after 30 days if no specific retention period has been requested
- Is personal data stored outside the EEA?
No, Merrill has invested in European based client support and hosting facilities. Merrill does not store data outside the EU unless requested by a European based client.
- Does Merrill Corporation have a security breach response plan and team in place?
Yes. Under the GDPR, the new obligations include reporting breaches to the authorities within a 72-hour turnaround. As such Merrill Corporation has an efficient incident-response management program to enable us to identify breaches and inform our clients.
- Under the new regulation, if I am engaging in a cross-border transaction, can I use Merrill Corporation’s software to share highly sensitive and personal data with organisations outside the EEA?
Merrill’s US entity is EU-US and Swiss-US Privacy Shield Certified. If your organization chooses to host its project with Merrill’s US based platform, data will be protected in the same manner as our European based platform, with the same security, processes and policies.
- How does Merrill Corporation intend to ensure ongoing compliance with the GDPR?
Merrill conducts privacy impact assessments on a regular basis to understand the data flow within Merrill as a service organisation. Merrill provides updated training on security, confidentiality and data privacy obligations yearly, to ensure regulatory changes are understood and best practices are met.
To comply with your obligations under the GDPR regarding the protection of personal data, evaluating 3rd party suppliers’ compliance in this context is a must. If you have a new transaction on the horizon and want to speak to us about our compliance or any other matter, please feel free to contact us on +44 20 3031 6300 or email firstname.lastname@example.org