ACL respects privacy and is committed to protecting our customers’ personal data. We have implemented and maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of personal data used by our customers in connection with ACL products and services. We ensure that our sub-processors abide by the same data protection obligations. Details of these data protection measures are described throughout these Trust web pages.
On May 25, 2018, the EU General Data Protection Regulation (GDPR) will come into effect. The GDPR brings a significant change to the regulation of personal data in the EU. It also affects organizations outside the EU who process the personal data of individuals located in the EU.
The GDPR applies to the processing of EU personal data wholly or partly by automated means, as well as to non-automated processing, if it is part of a structured filing system. “Processing” covers a wide range of activities, including the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
We understand that customers who use the ACL GRC Product and related services may wish to process EU personal data in connection with such use and will be required to comply with the GDPR. In such cases, ACL will be the processor or sub-processor of such EU personal data.
Security is the crux of all data protection. At ACL, we are continually monitoring and improving our security and compliance capabilities for all of our customers globally. In addition to our annual SOC 2 report and our robust information security program, we have, in preparation for GDPR, assessed our technical and organizational controls specific to the protection of personal data and have updated security processes where needed.
For customers who process personal data, our Analytics products offer a hashing function that customers can apply to personal data fields before they are published to ACL GRC. The hashing feature enables customers to cryptographically protect any personal data fields that are being uploaded. Hashed values are protected by a cryptographic one-way function that cannot be reversed, keeping personal data confidential at rest and during further processing. If you are unsure about what data can be stored, check with your Data Protection Officer.
For more information about the hashing function and our security controls, see the Security Controls.
For customers who process EU personal data in connection with their use of ACL's GRC Product and related services, ACL offers a Data Processing Addendum to ensure compliance with the GDPR obligation to have a written contract in place with ACL as a data processor. The Data Processing Addendum is in an easy to sign format and can be accessed and signed here; ACL Data Processing Addendum.
For customers using ACL’s on-premise Analytics products, all data remains on the customer’s systems. ACL does not access or process any of that data.
ACL has evaluated our existing vendors and enhanced our vendor management program to ensure that any vendors who are sub-processors of EU personal data will adhere to the same security standards as ACL and are also GDPR compliant. ACL enters into a written data processing agreement with each of our sub-processors to ensure such compliance and to ensure that any transfers of EU personal data are made only in accordance with GDPR.
We have been using our own ACL GRC Product for our GDPR compliance program!
As part of ACL GRC, we offer integrated content with built-in Compliance Maps that can be mapped to privacy controls of your existing frameworks like ISACA, SOC or ISO, allowing you to easily assess applicability and coverage while identifying material compliance gaps. Customers can customize surveys to create Data Privacy Assessments that can be assigned to control owners, helping to assist in assessments of systems or processes.
Customers can also create metrics that notify with real-time alerts that automatically warn the right people (at the right time) when non-compliant behavior is detected. This enables robotic process monitoring on compliance posture that can raise exceptions in real time with a single lens across the entire organization and beyond (including 3rd party vendors) using visualizations of relevant data. At any point in time, our customers can assess risks with an aggregate view of any existing controls deployed to manage and demonstrate compliance efforts.
For more information on how to use ACL GRC for your GDPR or other compliance needs, please visit us at www.acl.com.