It’s finally here: May 2018. A time that many have been regarding with some mix of anticipation, possibly fear, and maybe even hope, ever since the European Union (EU) first announced that its sweeping new data privacy law, the General Data Protection Regulation (the “GDPR”), would begin to be enforced as of May 25, 2018.
As a quick primer, the GDPR applies to any organization that “processes” (broadly defined in the EU to include, for example, accessing, collecting, using, storing, and destroying) the “personal data” of EU residents (another broadly defined term in the EU that means anything that can be used to identify a person, whether directly or indirectly). This is true regardless of where in the world an organization is located or does business. Given the nature of the current digital economy, in effect, this means that the law applies to organizations in every corner of the world, large and small, regardless of their industry.
There is no question that the GDPR’s impact extends far beyond the geographical limitations of the EU, and reflects a new era of data privacy laws globally intent on responding to (1) a rapidly changing digital landscape in which increasingly sophisticated technologies collect more and more information about individuals, (2) the reality of high-profile data breaches regularly dominating international news coverage, and (3) concerns about widespread information access and data sharing (including large-scale government surveillance programs) that linger on.
Here at Duo, we’ve taken a hopeful and welcoming stance when it comes to the GDPR. We think it has already had positive impacts globally on views about the importance of data privacy and security, both topics we care deeply about as a company. First, it enables and empowers individuals to take more control of their digital privacy. Second, it pushes organizations to be more transparent and responsible when it comes to how they use personal information, including by enacting better measures to protect the personal information entrusted to them. Third, it has encouraged a public conversation on a global level about what meaningful data privacy (and data privacy laws) looks like in the modern digital world.
To prepare ourselves for the GDPR, in early 2017, Duo formed a cross-functional Privacy Committee. Our Privacy Committee includes executives from our Product, Production Engineering, Security, Business Services and Legal teams. In thinking about the GDPR and what compliance meant for our organization, the GDPR inspired this cross-functional team to have tough, but productive, conversations on topics like:
- What does privacy mean to Duo?
- As a company that has always prided ourselves on being open and honest with our customers, how do we leverage the GDPR to push ourselves to be even more transparent about what, how, and why we use personal information?
- How do we drive ourselves to develop products and services that deliver better security, while also centering individuals’ privacy interests?
- What can we do to ensure we’re always able to maintain our customers’ trust when it comes to protecting the security and privacy of personal information in our care?”
Very early on in our work together, the Privacy Committee decided to develop Privacy Principles to help guide our actions as a company and frame responses to some of the values-oriented questions we believed the GDPR raised. At a high-level, Duo’s Privacy Principles are:
- We respect individuals’ privacy by promoting informed choice.
- We collect only the personal information we need, and “pseudonymize” or get rid of what we don’t.
- We are transparent about how we use personal information and accountable for how we and our partners use it.
- We factor security into everything we do.
- We engineer privacy into our ideas and products.
We’re committed to using these Privacy Principles to help guide decisions we make at every level of our business, every day, so that we can fulfill our mission to democratize security in a way that is consistent with our core values, as well as our legal obligations.
While we feel confident in our company’s GDPR-preparedness efforts, including the policies and procedures we’ve enacted as well the technical and organizational changes we’ve made, we won’t pretend that we’ve answered all the philosophical or values-oriented questions that the GDPR compels organizations to consider. And that’s OK with us, because we’ve always been committed to learning together as a company. Indeed, we think that the act of considering these questions together as a business and creating a space to have an ongoing, generative dialogue with ourselves and our customers about what meaningful data privacy and security looks like today - and in the future - is a worthy exercise in and of itself.
We hope that the GDPR is inspiring - and continues to inspire - organizations across the world to have these conversations, and to take actions that promote better data privacy and security.
If you have more questions about Duo and the GDPR, here are some resources that may be of interest to you:
- If you’re wondering how Duo may best fit into your GDPR compliance puzzle, we invite you to visit this page on our website to learn how Duo’s products can help you protect personal information within your organization, aiding in your compliance efforts.
- For current and prospective customers curious about the contractual commitments we make concerning our GDPR obligations, please visit this page to view our GDPR Data Protection Addendum.
- Finally, in the spirit of transparent and open communication about our privacy practices, we have prepared an updated privacy notice that explains how we responsibly handle personal information in connection with providing our services. You can find the text-only version of that notice, which goes into effect on May 25, 2018, here.