The General Data Protection Regulation (GDPR), is a European privacy law that will go into effect on May 25th 2018. It is based upon the European understanding that privacy is a fundamental human right. Established by the EU Parliament, the GDPR regulates how individuals and organizations can obtain, use, store, and remove personal data. It gives EU citizens and residents control over their personal data, and simplifies the regulatory environment for international business that takes place in the EU. If you’re curious, you can read the full text of the law here.
The GDPR defines personal data as any information that can be used to directly or indirectly identify a person, such as a name, photograph, email address, or even an IP address.
The Data Protection Principles include the following requirements:
GDPR adds new requirements regarding how companies should protect the personal data they collect and process. It also raises the stakes for compliance by increasing enforcement and imposing greater fines for breach. Beyond these facts, it’s simply the right thing to do. At LimeVPN we respect your data privacy and we have solid security and privacy practices in place that go beyond the requirements of this new regulation.
Here is an overview how LimeVPN has prepared to meet the new regulation requirements.
We offer a data processing addendum (DPA) for our customers who collect data from people in the EU. Our DPA offers contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers. To guarantee no terms are imposed on us beyond what is reflected in our DPA and Terms of Service, we cannot agree to sign individual customers’ DPAs. We are a small team and are unable to make individual changes to our DPA. Any changes to the standard DPA would require legal counsel and considerable back and forth discussion, which would be cost-prohibitive for our small team. If you have any questions or concerns, please let us know.
We formed a core team of leaders from each area of LimeVPN’s business. The representatives in this group ensure that LimeVPN covers the requirements of GDPR, across all teams, from Engineering to Customer Success. LimeVPN requires that all employees learn about and follow GDPR regulations, and ensures that all employees participate in the necessary training.
We reviewed the 3rd party vendors that we use to provide our products and services, and we performed a comprehensive review of their GDPR compliance. We already have DPAs in place with the vendors who offer a signed version, while others have a DPA that is automatically accepted as part of the Terms of Service on May 25th.
One of the GDPR requirements is a managed data protection impact assessment (DPIA) process. A DPIA process is a way to help us identify and minimize the data protection risks of a project. The LimeVPN engineering team has always undergone security and privacy due diligence when choosing tools and making implementation decisions, so this requirement is easy for us. Any time we introduce a change to the way we handle personal data, we discuss the potential impact on LimeVPN customers and explore possible privacy and security risks to personal data. If any risk is identified, no matter how small, our product and engineering teams collaborate on a solution to mitigate the data privacy and security risk to anyone who interacts with the LimeVPN platform. We will continue to execute this risk assessment process as we expand LimeVPN’s offerings.
We updated our existing breach management and communication plan to comply with the GDPR regulations concerning the escalation process and requirements for data subject notification.
We are working with our customers to answer any questions and address any concerns regarding how we protect their personal data. If you have any questions, please don’t hesitate to reach out.