Onwards and Upwards: Our GDPR Journey and Looking Ahead
At Imperva, our world revolves around data security, data protection, and data privacy. From our newest recruits to the most seasoned members of the executive team, we believe that customer privacy is key.
For the better part of the last two years, Imperva has laid the foundation for our compliance with the EU General Data Protection Regulation (GDPR). At roughly ninety pages with 173 recitals and 99 articles, it’s a massive regulation that fundamentally shifts the data privacy and data protection universe.
We at Imperva are proud of what we’ve accomplished in this time. As the lead for Imperva’s Privacy Office, I can candidly say that our success has been made possible only through the combined efforts of the entire organization. Thank you to our many Privacy Champions that have actively engaged within their departments and teams.
And a special thanks to our many critical internal partners, including our CMO David Gee, for his humorous evangelizing of data privacy initiatives, our Director of InfoSec, Noam Lang, our CIO, Bo Kim, who was also our first-ever privacy champion, and our CEO, Chris Hylen, for all having supported and prioritized data privacy initiatives within Imperva.
Just the beginning
Our work to comply with GDPR represents only the start of Imperva’s journey to protect, and to create products that protect the data privacy of our customers and their users. Already, Imperva is proactively building on our GDPR work and looking to ‘infinity and beyond’. Part of that ‘beyond’ is our monitoring and preparation for other game-changing regulations such as the EU ePrivacy Regulation and California’s Consumer Protection Act.
A Successful Launch
Imperva has launched significant enhancements to our data privacy and data security programs and environments to account for new obligations under GDPR.
- Governance: We have formalized and expanded the governance structure of the data privacy function within Imperva, including the creation of a dedicated Privacy Office. This updated governance structure has been integrated into our annual third-party certification audits and reviews.
- DPIAs: We have expanded our standard internal Privacy Impact Assessment process to trigger additional Data Protection Impact Assessments when appropriate.
- Security Environments: We have long maintained several common certification frameworks via third-party audits, including ISO 27001, the PCI Data Security Standard, and SOC 2 Type II reporting. As part of ensuring that our robust environments remain secure, we mapped our GDPR infosec obligations to our existing control frameworks to ensure we meet all GDPR obligations on an ongoing basis.
- Updated Privacy Notices: We updated the privacy policies on our web properties to reflect the changes we’ve adopted under GDPR. Additionally, we’ve refreshed our cookie consent banners and cookie policies for those in the European Union.
- Customer Agreements: In order to facilitate streamlined customer onboarding, we’ve created ready-to-sign Data Processing Agreements (DPAs) that provide details about what personal data an Imperva product or service collects in order to provide that service. These DPAs utilize the controller-processor model clauses approved by the EU Commission and address customer concerns about how cross-border data transfers are GDPR-compliant.
- Data Subject Requests: We’ve rolled out a new data subject request portal on our web properties. Additionally, we’ve worked with each Imperva department to ensure smooth operational processing of data subject rights, including access, rectification, and erasure.
We here at Imperva have not been satisfied by merely meeting our obligations. We are making data privacy a priority. As a security company, data privacy is mission critical. It’s part of earning and maintaining the trust of our customers and employees.
Even Better Products: Our Product teams have worked hard to re-architect infrastructure to enable regional storage of logs. This new feature makes compliance with GDPR far easier for customers or their subsidiaries operating primarily within a single geographic region by reducing cross-border data transfers. Additionally, regional log storage enables genuine conformity with data localization and residence laws, such as those in China, Canada, Germany, Russia, and South Korea.
Embedded Privacy Champions: We’ve ramped up our program to embed mini privacy subject matter experts within each department. Today, three percent of our workforce are privacy champions thinking about how to protect your personal data. And that number is growing.
Privacy Guidance Down to Departments: The Privacy Office has worked with each department to create individual departmental policies and operational guidance to ensure that Imperva employees in every role know how to safeguard and protect personal data.
Vendor Management: We’ve reviewed dozens of vendors across all product lines to ensure we have the appropriate data privacy and security provisions, data processing agreements, and standards in place to safeguard our customers’ personal data. Our subprocessors page on our web properties provides additional information about third-party service providers.
Imperva has aimed high when it comes to the obligations created by GDPR, but we’re also looking far beyond.
In particular, Imperva is keeping a close eye on new data privacy laws and updates coming down the line that could impact our customers’ data privacy obligations, and therefore our obligations to you—such as the EU ePrivacy Regulation, which updates the 2009 ePrivacy Directive, as well as the California Consumer Privacy Act, which becomes enforceable on January 1, 2020.
GDPR is a significant milestone in the data privacy universe and so too in Imperva’s journey, yet it’s important to recognize it as a milestone and not as an endpoint. GDPR represents only the start of Imperva’s journey to protect and to create products that protect the data privacy of our customers and their users.