When the GDPR became enforceable for any company with either European customers or employees on May 25, it became the source of intense consternation in some C-suites.
Within 24 hours, both Google and Facebook were slapped with lawsuits that threaten over $8 billion in damages. In April 2018, Harvey Nash and KPMG found that 38% of tech execs worried that they would not be GDPR compliant by the May deadline, and a survey of attendees at Infosecurity Europe conference in August 2018 found that 28% of organizations still did not consider themselves fully compliant.
But for Andre Schindler, NinjaOne’s General Manager for EMEA, fleshing out the company’s privacy and GDPR policies was an opportunity to be transparent with customers.
“The whole idea of GDPR is to help people understand what happens with their data,” Schindler says. “Don’t hide it in complicated terms, don’t hide it in the end-user license agreement (EULA) somewhere on page 15. Simply tell them what happens with their data.”
Schindler retained the services of the respected privacy consultants at TrustArc to assess NinjaOne’s data processes. Headquartered in San Francisco, TrustArc assists more than 1,000 companies around the world with privacy, compliance and risk management.
In Good Company
Selected tech firms that have retained TrustArc for privacy compliance and risk management
“We wanted to have an independent contractor to look at all of the things we’re doing, and make sure we’re not forgetting anything,” Schindler says.
After obtaining NinjaOne documents and performing interviews with staff, TrustArc identified the types of personalized data that the company accrues, insuring that it was truly necessary to provide service to customers. TrustArc also confirmed that NinjaOne had robust procedures for European customers to get their data assessed, altered, corrected, or deleted. The review of GDPR procedures also examined the security regime, including physical protections at data centers, the strength of encryption algorithms and firewalls, and network security protocols.
Ultimately, the Ninja GDPR policy boils down to clear disclosure about what the company does with user data, as well as procedures in the event that a European customer wants to review personally-identifiable user data or have it deleted. This is particularly important for a SaaS company like NinjaOne that relies on prospective customers providing contact info to sign up for demos or for service.
In keeping with GDPR rules, customers actively opt-in before a company can use their data to contact the person.
And, if the person signs up for service, personal data and financial details will be transmitted by TLS encryption and then stored in a data center protected by AES-256 encryption, automated backups, human employees who use two-factor authentication, and fire suppression systems. Ninja also participates in the EU-US Privacy Shield framework, which replaces the previous International Safety Harbor Privacy Principles.
“We keep data very close, and only share where technology requires us to share,” Schindler says.
NinjaOne only integrates with third-party technology partners that have also achieved GDPR-compliance, such as the antivirus tool Webroot or remote access company TeamViewer. And if an E.U.-based MSP, or an MSP that has customers in Europe, ever wants to see what personally-identifiable NinjaRM has collected, or have that data deleted, the company merely needs to contact the company at [email protected].
“Data privacy is not there to be sold — nor should it be a new concern just because GDPR came into being,” Schindler says. “Data privacy and the security of customers must be a fundamental part of any company’s goals.”