One of the stringent set of regulations global organizations are adopting is the European Union’s General Data Protection Regulation (GDPR). OneLogin is not an exception, GDPR is on its radar, and it is currently preparing itself for it. One of OneLogin’s main objective is to be among the first organizations to acquire advanced regulations that will strengthen its security measures and that of its customers.
OneLogin adopted ISO 27018 and the Generally Accepted Privacy Principles (GAPP) for privacy protection purposes in the previous years. GDPR is different from any set of regulations that has ever existed. General Data Protection Regulation (GDPR) is similar to the Sarbanes-Oxley Act of 2002. The GDPR text has already been published, but its ePrivacy Regulation is not out yet. GDPR will start applying on May 25, 2018, and OneLogin is preparing to beat the deadline and get compliance.
OneLogin has been working on policies and processes. The organization has committed its resources to aligning itself with the set frameworks. The company started a fresh approach to developing data flows and structuring advanced data mapping diagram (Article 30). It is also working on the contract language that is specific to GDPR. OneLogin has worked on data breach notification language (Article 34), responsibility of data processors relevant to data controllers (Article 28) and use of subcontractors (Article 28) which are some of the contract languages that needed clarity. The new contract verbiage has been included in OneLogin’s MSA and Data Processing Agreement. The company is also working with its customers to develop a language that will work for them.
OneLogin will hire an independent external legal counsel to serve as its DPO in the European Union. This is as per the GDPR Data Protection Officer (DPO) requirements (Article 37-39). The new set of regulations will lead to new certifications. OneLogin will go through an independent review early next year to make sure that it has complied with the GDPR requirements. It will also receive a new GDPR certification (Article 42).