This is a Controlled Document
Inline with GitLab's regulatory obligations, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.
GitLab is fully committed to protecting the personal data of its customers, employees, suppliers and other stakeholders in accordance with the requirements of the General Data Protection Regulation (GDPR) and other global comprehensive data privacy laws. We take the privacy of personal data very seriously and have initiated a variety of methods and controls to ensure we know what data we collect and hold and that we protect that data appropriately.
As part of this commitment, GitLab ensures that, where appropriate, projects and personal data processing activities are subject to Privacy Reviews and a Data Protection Impact Assessment (DPIA) as key components of a ‘Privacy by Design’ approach. The purpose of this assessment is to ensure that our use of personal data is fully understood, that risks to the rights and freedoms of individuals resulting from the processing of personal data are carefully examined and that all appropriate measures are put in place to protect these rights throughout the lifecycle of the processing.
Privacy Reviews and DPIAs, in conjunction with the associated forms and guidance, should be used to ensure that our obligations and policies in this area are met.
This policy applies to all of GitLab's customers, employees, suppliers and other stakeholders personal data in accordance with the requirements of the General Data Protection Regulation (GDPR).
| Role | Responsibility |
|---|---|
| GitLab Team Members | Responsible for following the requirements in this policy |
| Privacy Team | Responsible for implementing and executing this policy |
| Security Management (Code Owners) | Responsible for approving significant changes and exceptions to this policy |
Any project that involves processing of personal data requires a Privacy Review and when certain criteria are met, a DPIA may be required. Where a Project Manager is unknown, undefined or unable to complete a DPIA, the highest admin level individual for the respective application needs to complete the documentation. Ultimately, the highest level admin has responsibility and accountability for ensuring submission and completion of the DPIA assessment. Any admin on the respective technology should sign off on the DPIA to signify understanding and accountability for the risks in the particular technology. Product Managers/Admins should ensure that the Privacy Team is consulted, in a timely manner, in all issues relating to the protection of personal data.
Researchers should ensure that a data management plan that incorporates a Privacy Review is completed for any project that involves processing of personal data. Where additional advice is required they should contact Legal in the first instance who will liaise with the Privacy Team, as necessary.
The Privacy Team is responsible for ensuring privacy measures implemented against Privacy Reviews and DPIAs are compliant with this policy and relevant data protection legislation. They will be involved in the Privacy Review and DPIA process.
A Data Protection Impact Assessment or DPIA is a way to systematically and comprehensively analyze processing and help identify and minimize data protection risks. DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm - to individuals or to society at large, whether it is physical, material or non-material.
To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals. A DPIA does not have to eradicate the risks altogether, but should help to minimise risks and assess whether or not remaining risks are justified. DPIAs are a legal requirement for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals.
A DPIA is a process to help identify and minimize the data protection risks of a project, system or application. There are a number of criteria that determine when a DPIA should be carried out within GitLab.
A DPIA must be done before beginning any type of processing which is “likely to result in a high risk”. This means that although the actual level of risk has not been assessed, screening for factors that point to the potential for a widespread or serious impact on individuals must take place.
The GDPR requires a DPIA if we plan to:
The ICO also requires a DPIA if we plan to:
GitLab requires a Privacy Review for all projects where one or more of the following applies:
You are required to have this work signed off by the Privacy Team. If there is uncertainty regarding whether it is appropriate to carry out a Privacy Review for a specific project, by default the project team should err on the side of caution and ensure that one is performed. The Privacy Team may be consulted for clarification and further guidance may have been issued by the ICO, in which case this should be consulted also.
GitLab requires a Privacy Review to be completed or reviewed when a significant change is made to the way personal data is processed, such as a significant system upgrade.
The Privacy Team may require a DPIA following a security incident or breach, where a concern has been raised or where risks have been identified that require appropriate management.
A Privacy Review should be started in the early stages of a project, before any processing has started and before a system has been identified. It should run alongside the planning and development process. The Privacy Review will inform whether a full DPIA is necessary. A full DPIA will then identify controls to mitigate risks which should then be included in the requirements of a potential system. It may be useful at this point to have this reviewed by the DPO and/or IT Security for advice with both technical and non-technical requirements.
By starting a DPIA at the early stages risks and required controls to ensure legal compliance and security can be developed from the outset, ensuring that privacy is developed by design. If a DPIA is left until late in a project there may be additional controls or manual workarounds needed to ensure compliance which can have substantial costs associated. A DPIA can also help with data minimization, identifying information that may not be required and therefore minimizing the cost of controls that may not be required.
The DPIA should be maintained throughout the project, be regularly reviewed and updated as the work progresses to ensure new risks are included as soon as they are identified and controls are developed. Before the project goes live the DPIA should have a review by the Privacy Team and Head of IT Security to ensure risks are managed to an appropriate level.
Where a project has high risks, the DPIA may require Legal approval and the project manager should consult the DPO for further advice. In the event that the results of the DPIA indicate a high level of risk that cannot be mitigated, the GDPR requires that the ICO is consulted before any processing takes place. The project manager should consult the DPO for advice and to facilitate this process. The ICO has eight weeks (extendable by a further six weeks) to provide a judgement on the proposed processing and, if appropriate, give details of what must be done to make the processing acceptable under the GDPR, or ban the processing altogether.
The DPIA is a process to help you identify and minimize the data protection risks of a project. The Privacy Team must be included in the process and can provide appropriate advice. The process is designed to be flexible and scalable.
The Privacy Review typically begins as part of a Procurement issue. After reviewing your answers to some initial questions, the Privacy team will advise whether a Privacy Review should be opened.
All applications are required to have a Privacy Reviews although a DPIA may not be required in every instance (such as where no personal or sensitive data is involved).
Privacy Reviews should be treated as living documents and recorded in ZenGRC. The reviews should be evaluated on a regular basis to ensure that they remain current and the applied controls valid. The relevant risk assessments will also be reviewed upon major changes to the business such as introduction of new or changed IT services. Any significant changes may need to be readdressed by the Privacy Team.
Risks are identified, assessed, and managed according to GitLab's security risk management process.
Procurement Privacy Screening - In the Procurement process, follow the steps as outlined, answering screening questions, tagging Privacy when warranted. This process will vary based on the type of procurement you are seeking, so following the Procurement instructions within Coupa is the best way to ensure you are completing necessary steps.
Privacy Review - If your procurement requires a new Privacy Review, the Privacy Team will review the tool and work with you and security to get complete answers to relevant questions. The Privacy Team will then determine whether a full DPIA is necessary.
DPIA (when necessary) - If a full DPIA is necessary, the Privacy Team will create the DPIA issue and draft, and bring in necessary contributors.
Implementation of Mitigations - After the DPIA has been completed, you will need to acknowledge the mitigations required and commit to implementing these. Upon your confirmation of understanding, you may close the issue.
For further information or questions on this process you may contact the Privacy Team.
Once the risk plan has been approved, the necessary controls should be completed as part of the project. In the event that any required security actions are delayed or cannot be completed, the implications of this to the protection of the personal data involved must be assessed by management and a decision taken about what to do next. If the untreated risk is sufficiently serious, this may have a significant impact on the viability of the project from a compliance viewpoint and advice should be sought from the Privacy Team. The process of DPIA is fundamental to the implementation of a successful project that handles personal data and is a significant part of the GDPR legislation. Only by fully understanding the risks to the data subject with regard to our processing of personal data can we hope to ensure that the controls we have in place are sufficient to provide an appropriate level of protection and meet the high standard expected of us. By following this process, GitLab will move toward ensuring that the risks that it faces in the day to day operation of its business are effectively managed and controlled.
Exceptions to this procedure will be tracked as per the Information Security Policy Exception Management Process.
