The General Data Protection Regulation (GDPR) is a European privacy law that is set to go into effect in May 2018. The GDPR replaces the Data Protection Directive that was put into place in 1995. Although it is a European law, it will impact any entity that does business in or offers services and goods to people in the European Union (EU), regardless of their location. It will also apply to any entity that collects and analyzes the data of EU residents or businesses.
The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Under GDPR, private information is defined as any information that is directly or indirectly identifiable to an individual. This includes information such as social security numbers, location data, online identifiers, pseudonymous data, and genetic or biometric data, such as fingerprints and facial recognition.
Specifically, GDPR grants EU citizens these controls over their personal data:
Companies within and outside of the European Union will be required to make a number of adjustments to the way they access and process the personal data of EU residents in order to be GDPR compliant.
The identification of information controllers and processors are key components to creating GDPR compliance.
Controllers are a company or organization that determines the purpose for and manner in which personal data is processed.
Controllers can also be processors.
Data processors take the information controllers have accumulated and process the personal information.
GitLab’s CI/CD tools fall under the processor category.
The responsibility of GDPR compliance is heavily imposed on controllers. Data controllers are responsible and liable for GDPR compliance in the processing of personal data, even in cases when they have outsourced processing activities to another company. Nonetheless, processors are also obligated to be GDPR compliant under the law. For more information reference GitLab's DPA.
Maintain a legal basis for data collection and processing
Companies must have a legal basis for the processing of personal data.
Companies must inform individuals about the collection of personal data as well as why and how the data is being used. Information must also be provided about how the data is being stored and the length of time for which it will be held.
Individuals must also be advised when their information is transferred internationally.
Employ a data protection officer
Companies that have personal data collection or processing at the core of their business will be required to hire or appoint a data protection officer (DPO).
Specifically, a DPO will be required by GDPR if a company processes a large amount of personal or sensitive data regarding criminal offenses or convictions. Companies that regularly and systematically monitor the personal data of individuals on a large scale are also required to have a DPO in order to be GDPR compliant.
Under GDPR, companies will be required to maintain processing records for personal data. The records can be requested by the supervisory authority at any time.
Implement data protection by default and design
Data protection safeguards must be built into products and services during the earliest stages of development.
Provide notification of a security breach
Individuals must be directly notified of security breaches that affect their personal data within 72 hours.
Supervisory authorities must be advised of security breaches that present a risk to the rights and freedom of individuals within 72 hours. The general public must be immediately alerted of security breaches that are sufficiently serious.
Controllers and processors of personal data must create a GDPR action plan that encompasses all of the new requirements.
As the first single application for software development, security, and operations (DevSecOps), GitLab’s tools offer a streamlined process that can keep your entire team synchronized and your most important data secure. Our tool features Kerberos-powered user authentication and a block secret push file system that allows your company to prevent sensitive files from being accidentally pushed into a live repository.
GitLab’s CI/CD tools also offer a number of features that may help your team members remain in compliance with your company’s legal, licensing and other requirements. Some of those tools include:
GitLab offers built-in application security testing scanners that routinely check code for common issues during development and deployment. Our scanners also monitor previously patched vulnerabilities in order to ensure that our security-sensitive services are guarded.
Find out how GitLab’s end-to-end software development tools can help your company monitor all of the steps in your production lifecycle.Contact us Security FAQ