The General Data Protection Regulation (GDPR) is a European privacy law that is set to go into effect in May 2018. The GDPR replaces the Data Protection Directive that was put into place in 1995. Although it is a European law, it will impact any entity that does business in or offers services and goods to people in the European Union (EU), regardless of their location. It will also apply to any entity that collects and analyzes the data of EU residents or businesses.
The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Under GDPR, private information is defined as any information that is directly or indirectly identifiable to an individual. This includes information such as social security numbers, location data, online identifiers, pseudonymous data, and genetic or biometric data, such as fingerprints and facial recognition.
Specifically, GDPR grants EU citizens these controls over their personal data:
The California Consumer Protection Act (CCPA) took effect on January 1, 2020. Similar to GDPR, CCPA is intended to protect person information and also articulates the rights that California consumers have regarding their information. CCPA applies specifically to residents of California.
The definition of Person Information in CCPA is very similar to GDPR's definition of Personal Data: "Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
Just as GDPR establishes rights for EU citizens, CCPA establishes certain rights for California residents:
Companies within and outside of the European Union will be required to make a number of adjustments to the way they access and process the personal data of EU residents in order to be GDPR compliant.
The identification of information controllers and processors are key components to creating GDPR compliance.
Controllers are a company or organization that determines the purpose for and manner in which personal data is processed.
Controllers can also be processors.
Data processors take the information controllers have accumulated and process the personal information.
GitLab’s CI/CD tools fall under the processor category.
The responsibility of GDPR compliance is heavily imposed on controllers. Data controllers are responsible and liable for GDPR compliance in the processing of personal data, even in cases when they have outsourced processing activities to another company. Nonetheless, processors are also obligated to be GDPR compliant under the law.
To inquire about executing a DPA, please contact your Sales Account Manager. If you do not know your Account Manager, please email [email protected]
Maintain a legal basis for data collection and processing |
Companies must have a legal basis for the processing of personal data. |
|---|---|
Be transparent |
Companies must inform individuals about the collection of personal data as well as why and how the data is being used. Information must also be provided about how the data is being stored and the length of time for which it will be held. Individuals must also be advised when their information is transferred internationally. |
Employ a data protection officer |
Companies that have personal data collection or processing at the core of their business will be required to hire or appoint a data protection officer (DPO). Specifically, a DPO will be required by GDPR if a company processes a large amount of personal or sensitive data regarding criminal offenses or convictions. Companies that regularly and systematically monitor the personal data of individuals on a large scale are also required to have a DPO in order to be GDPR compliant. |
Preserve records |
Under GDPR, companies will be required to maintain processing records for personal data. The records can be requested by the supervisory authority at any time. |
Implement data protection by default and design |
Data protection safeguards must be built into products and services during the earliest stages of development. |
Provide notification of a security breach |
Individuals must be directly notified of security breaches that affect their personal data within 72 hours. Supervisory authorities must be advised of security breaches that present a risk to the rights and freedom of individuals within 72 hours. The general public must be immediately alerted of security breaches that are sufficiently serious. |
Controllers and processors of personal data must create a GDPR action plan that encompasses all of the new requirements.
As the first single application for software development, security, and operations (DevSecOps), GitLab’s tools offer a streamlined process that can keep your entire team synchronized and your most important data secure. Our tool features Kerberos-powered user authentication and a block secret push file system that allows your company to prevent sensitive files from being accidentally pushed into a live repository.
GitLab’s CI/CD tools also offer a number of features that may help your team members remain in compliance with your company’s legal, licensing and other requirements. Some of those tools include:
GitLab offers built-in application security testing scanners that routinely check code for common issues during development and deployment. Our scanners also monitor previously patched vulnerabilities in order to ensure that our security-sensitive services are guarded.
Find out how GitLab’s end-to-end software development tools can help your company monitor all of the steps in your production lifecycle.
Contact us Security FAQAny entity that does business with corporations or individuals in the European Union and will have access to personal data.
May 25, 2018
Yes, compliance is an ongoing process and we work diligently to keep up with best practices and processes every day.
Controllers determine how personal data is processed and used. Processors simply process the data as prescribed by the controller.
The supervisory authority is the United Kingdom’s Information Commissioner’s Office (ICO). The independent regulatory office is a public body that reports to Parliament. The ICO is tasked with “uphold[ing] information rights in the public interest, promoting openness by public bodies and data privacy for individuals,” according to the authority’s website.
Privacy by design occurs when data protection is embedded into each step of the personal information processing life cycle, including processing product development, software development, and IT systems. Privacy by default means that the strictest privacy settings are automatically in place when an application is released to the public.
Companies should designate an employee to oversee GDPR compliance and determine where that responsibility will fall within the organization, i.e. security department. Some companies will be required to hire or designate a data protection officer to oversee GDPR compliance within their organization.
GDPR calls for some companies to designate a Data Protection Officer (DPO) depending on the nature and amount of personal data the entity processes. The officer, who must be an expert in data protection law, will be tasked with establishing and maintaining a data security plan and GDPR compliance. DPOs are required for public entities as well as companies that manage or store large amounts of personal data, process or hold special personal information or routinely monitor the personal data of private individuals.
No, GitLab is a processor of information. While GitLab continuously works towards maintaining GDPR compliance, simply using GitLab’s services does not make your company compliant. As the controller of the information, you must ensure that the collection of personal data is GDPR compliant as well as other processors in your pipeline.
Breaches in GDPR compliance can range from a stern, written warning for first-time, unintentional infractions to a fine of €20 million or 4 percent of the company’s previous year’s total global revenue, whichever is greater.
