GDPR bakcground image

HashiCorp and GDPR

The General Data Protection Regulation went live on May 25th, 2018. Learn how you can comply using existing Vault features.  

GDPR overview

GDPR, or the General Data Protection Regulation standard, is the most comprehensive data privacy standard to date went live on May 25, 2018.

Note: This overview is not meant to be comprehensive or serve as legal advice. We highly recommend speaking to an auditor or lawyer to dig into the details of the full regulation as there are major components of GDPR that are left to auditor and supervisory authority interpretation.

Below, we summarize the main articles and standards of GDPR.

What data is covered under GDPR?

GDPR governs security requirements for the use and storage of Personal Data for EU citizens and rights for EU citizens to their data - as well as potentially all Personal Data processed and stored within the EU. This includes any data that can be used or combined with other information to identify a natural person. It is extraterritorial - i.e. applies to EU data regardless of that data's location.

GDPR by roles

  • Data subject: EU citizen or individual whose data is being processed within a EU member state
  • Processor: individual or group who processes GDPR data
  • Controller: individual or group who governs whether the processor has access to GDPR data and how that data is protected
  • Data Protection Officer (DPO): executive in charge of protecting GDPR-relevant data
  • Supervisory Authority: National regulatory body within EU-member country in charge of managing compliance with GDPR

GDPR by the articles

There are 99 total articles in GDPR that fall into three key categories:

  • Individual rights:
    • Rights for data subjects to dictate how their data is used, retained, and stored
  • Basis of processing:
    • Legal rights to access data including consent and necessity
    • Obligations to processors and controllers
  • Governance, accountability, and security:
    • How is personal data managed and stored?
    • How is personal data protected?
    • What happens during a data breach?

GDPR by individual rights

  • Rights to information, access: know where and how your data is being used before consent
  • Rights to erasure: demand your data is destroyed
  • Rights to object, restrict process: right to object to data being used at any time as well as restrict how that data is being processed
  • Right to portability: right to demand access to stored data
  • Right to rectification: right to change data stored
  • Right to lodge complaint: petition the supervisory authority

GDPR by penalties (Article 83)

  • Non-negligent penalties: greater of 10M Euros or 2% global annual revenue
  • Negligent penalties: greater of 20M Euros or 4% global annual revenue

Negligence is determined by the number of factors including bona fide security effort, alignment with GDPR, audit of security controls, etc.

Note: Supervisory Authorities can institute supplemental fees.

What we do to comply

HashiCorp is committed to GDPR compliance across our product suite. We've updated our privacy policies and terms of service for each of our products, and we're hard at work to put stronger security and privacy controls in place to protect your data and support your rights.

We're also committed to helping our customers accelerate their GDPR roadmap to compliance. We've been releasing features and constructing a roadmap for Vault that specifically assists in helping your organization comply with GDPR, including:

  • Vault Unified Identity and ACL policies
  • Control Groups
  • Mount Filters

The Vault product itself was developed to manage, store, and protect sensitive information in a way that reduces secret sprawl but also enables global organizations to operate at a very large scale. In the context of GDPR, we've engrained features into Vault to help further this use case, as GDPR requires all of us to be more sensitive to where our data is moving or sitting at any given time physically and forces us to put our best effort to protect the data sovereignty of our sensitive information.

For more information, you can refer to Webinar: Preparing for GDPR Compliance with HashiCorp Vault

What you can do

If you are a customer of HashiCorp, there are already items that you can add to your roadmap to GDPR compliance. Below are some tips and tricks:

1. Familiarize yourself with key GDPR articles and standards

Leverage your legal, security, and audit teams to understand how these new articles differ from your existing data protection plans.

2. Create a central database or inventory of personal data that you hold

Should you get audited, you will want a trail of customer events, personal information, and communications that have been performed in one central location. You also need to be able to provide customers with the ability to consent, opt-out, or request that their data be deleted. For that, you may need a consent management tool such as OneTrust.

3. Assess any processes, or tools gaps that can help you accelerate compliance

Audit your current tool stack, including HashiCorp products to assess how features in your existing toolset can help you comply. For any gaps, research, evaluate, and procure new tools so you are ready for the May 25th deadline.

4. Consider leveraging existing HashiCorp products such as Vault to help in your compliance journey

HashiCorp Vault can help you comply, including Control Groups for Article 26, Article 27, Article 28, and Unified Identity and Policies and Mount Filters for Article 35.

5. Review and accept any updated terms and policy notices you receive

There are already a myriad of email communications going out regarding updates to terms and privacy policies. Review these changes regularly with your legal team.

6. Consult with a lawyer or auditor to dig into specific regulations that apply to you

GDPR is a comprehensive and complex set of requirements. In addition to the explicit provisions of the articles within GDPR, the oversight of the supervisory authorities in EU member states entails that additional implicit requirements and/or financial implications may arise depending on the region in which Personal Data is processed within the European Union. It is critical that you consult with legal counsel and your auditors to ensure that you are aligned and prepared for the release of GDPR in 2018. You can read the full regulation here.

More resources

We've compiled a list of resources that also pertain to GDPR in the security or cloud space:

Webinar On-Demand

Preparing for GDPR Compliance with HashiCorp Vault

A demo of HashiCorp Vault features that specifically assist in helping your organization comply with GDPR.