--- layout: feature-kubernetes title: GitLab GDPR Compliance description: General Data Protection Regulation (GDPR) compliance, requirements, action plan, and frequently asked questions. GDPR is a regulation law that requires businesses to protect the personal data and privacy of EU citizens. suppress_header: true extra_css: - gitlab-feature-landing-page.css - faq.css - features.css - kubernetes.css extra_js: - all-clickable.js --- .wrapper.gitlab-ee-page .image-title .color-bg %div %h1 GitLab answers: What is GDPR? -#%a.btn.btn-lg.btn-white{ href: "https://docs.gitlab.com/ee/user/project/integrations/jira.html", target: "_blank" } Documentation .sub-wrapper .container .row.advantages .col-xs-12.col-md-10.col-md-offset-1 %h2 GDPR overview %p.overview The General Data Protection Regulation (GDPR) is a European privacy law that is set to go into effect in May 2018. The GDPR replaces the Data Protection Directive that was put into place in 1995. Although it is a European law, it will impact any entity that does business in or offers services and goods to people in the European Union (EU), regardless of their location. It will also apply to any entity that collects and analyzes the data of EU residents or businesses. %p.overview The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Under GDPR, private information is defined as any information that is directly or indirectly identifiable to an individual. This includes information such as social security numbers, location data, online identifiers, pseudonymous data, and genetic or biometric data, such as fingerprints and facial recognition. %p.overview Specifically, GDPR grants EU citizens these controls over their personal data: %ul %li %strong Right of access: Data controllers will be required to fulfill requests from individuals seeking access to their private data or information on how it is being used. Data collectors and processors will have to detail how the personal information was obtained, how and why it is being used, as well as with whom the company is sharing the information. Companies will also be mandated to provide the individual with a copy of their personal records. %li %strong Notice of security breaches: Individuals must be alerted within 72 hours if their personal data has been hacked or otherwise compromised. %li %strong “Right to erasure”: Individuals can decide they no longer want their personal data to be processed and request that all of their information be deleted. %li %strong Data portability: Individuals will be permitted to move their personal data from one company to another upon request, without opposition from the data controller. %hr.divider/ .row .col-xs-12.col-md-10.col-md-offset-1 %h2 Key GDPR requirements %p.overview Companies within and outside of the European Union will be required to make a number of adjustments to the way they access and process the personal data of EU residents in order to be GDPR compliant. %p.overview The identification of information controllers and processors are key components to creating GDPR compliance. .row .col-md-5.col-md-offset-1 .panel.panel-default.panel-margin .panel-heading %h3.panel-title What are controllers? .panel-body %p.overview Controllers are a company or organization that determines the purpose for and manner in which personal data is processed. %p.overview Controllers can also be processors. .col-md-5 .panel.panel-default.panel-margin .panel-heading %h3.panel-title What are processors? .panel-body %p.overview Data processors take the information controllers have accumulated and process the personal information. %p.overview GitLab’s CI/CD tools fall under the processor category. .row .col-md-10.col-md-offset-1 %p.overview The responsibility of GDPR compliance is heavily imposed on controllers. Data controllers are responsible and liable for GDPR compliance in the processing of personal data, even in cases when they have outsourced processing activities to another company. Nonetheless, processors are also obligated to be GDPR compliant under the law. %a{ href: 'https://drive.google.com/file/d/15xnvxdaDyBpXWhJnifZgB3U2NiZ0xhN5/view' } For more information reference GitLab's DPA. .row .col-xs-12.col-md-10.col-md-offset-1 %h3 These are some of the key requirements for GDPR compliance: %table.table-lg %colgroup %col{:width => "25%"} %col{:width => "70%"} %tbody %tr %th %h4 %strong Maintain a legal basis for data collection and processing %td %p Companies must have a legal basis for the processing of personal data. %tr %th %h4 %strong Be transparent %td %p Companies must inform individuals about the collection of personal data as well as why and how the data is being used. Information must also be provided about how the data is being stored and the length of time for which it will be held. %p Individuals must also be advised when their information is transferred internationally. %tr %th %h4 %strong Employ a data protection officer %td.text-left %p Companies that have personal data collection or processing at the core of their business will be required to hire or appoint a data protection officer (DPO). %p Specifically, a DPO will be required by GDPR if a company processes a large amount of personal or sensitive data regarding criminal offenses or convictions. Companies that regularly and systematically monitor the personal data of individuals on a large scale are also required to have a DPO in order to be GDPR compliant. %tr %th %h4 %strong Preserve records %td %p Under GDPR, companies will be required to maintain processing records for personal data. The records can be requested by the supervisory authority at any time. %tr %th %h4 %strong Implement data protection by default and design %td %p Data protection safeguards must be built into products and services during the earliest stages of development. %tr %th %h4 %strong Provide notification of a security breach %td %p Individuals must be directly notified of security breaches that affect their personal data within 72 hours. %p Supervisory authorities must be advised of security breaches that present a risk to the rights and freedom of individuals within 72 hours. The general public must be immediately alerted of security breaches that are sufficiently serious. %hr.divider/ .row .col-md-10.col-md-offset-1 %h2 Creating a GDPR action plan %p Controllers and processors of personal data must create a GDPR action plan that encompasses all of the new requirements. %h3 GDPR checklist to ensure compliance: %ul.fa-ul.checkbox-list %li %i.fa-li.fa.fa-check-square-o Identify information controllers %li %i.fa-li.fa.fa-check-square-o Identify information processors %li %i.fa-li.fa.fa-check-square-o Train data controllers and/or collectors on GDPR requirements %li %i.fa-li.fa.fa-check-square-o Ensure that partner vendors are GDPR compliant %li %i.fa-li.fa.fa-check-square-o Designate or employ a Data Protection Officer, if necessary %li %i.fa-li.fa.fa-check-square-o Conduct data mapping to determine what information your company collects and how it is transferred, processed, and stored %li %i.fa-li.fa.fa-check-square-o Build products and services using principles of privacy by design and default %li %i.fa-li.fa.fa-check-square-o Create a system that continuously monitors data handling and illustrates GDPR compliance %li %i.fa-li.fa.fa-check-square-o Educate customers of their rights under GDPR %li %i.fa-li.fa.fa-check-square-o Create a notification action plan for security breaches %hr.divider/ .row .col-md-10.col-md-push-1 %h2 Security and Compliance with GitLab %p As the first single application for software development, security, and operations (DevSecOps), GitLab’s tools offer a streamlined process that can keep your entire team synchronized and your most important data secure. Our tool features Kerberos-powered user authentication and a block secret push file system that allows your company to prevent sensitive files from being accidentally pushed into a live repository. %p GitLab’s CI/CD tools also offer a number of features that may help your team members remain in compliance with your company’s legal, licensing and other requirements. Some of those tools include: %ul.fa-ul.checkbox-list %li %i.fa-li.fa.fa-check-square-o Push rules: This allows you to reject code that does not comply with company policy. %li %i.fa-li.fa.fa-check-square-o Strict code review: You have the option to require multiple approvals from a certain set of team members before a merge request can be accepted. %li %i.fa-li.fa.fa-check-square-o Multiple options for user roles and permissions: Access and permissions can be managed at many levels, with five different options for user roles and settings for external users. Permissions can be set according to one’s role as opposed to allowing only read or write access to a repository. %li %i.fa-li.fa.fa-check-square-o Log forwarding: Logs can be forwarded to a central system for better tracking. %li %i.fa-li.fa.fa-check-square-o Membership locking: Group owners can maintain control of their project by blocking other members from adding other parties to the project. %li %i.fa-li.fa.fa-check-square-o Reject unsigned commits: GitLab Enterprise Edition Premium allows you to reject unsigned commits and require GPG signatures. %p GitLab offers built-in application security testing scanners that routinely check code for common issues during development and deployment. Our scanners also monitor previously patched vulnerabilities in order to ensure that our security-sensitive services are guarded. %hr.divider/ .row.text-center .col-md-10.col-md-offset-1 %h3.sub-heading %a{ href: '/features/#verify' } Learn more about Application Security Testing at GitLab %p Find out how GitLab’s end-to-end software development tools can help your company monitor all of the steps in your production lifecycle. = link_to "Contact us", "/contact", class: "btn cta-btn accent" = link_to "Security FAQ", "/security/#common-security-related-questions", class: "btn cta-btn ghost-accent" %hr.divider/ .row.u-margin-bottom-lg .col-md-12 %h2.faq-title.light.text-center GDPR Compliance FAQs .faq-holder.clearfix - questions = data.gdpr_faq.questions - size = (questions.size / Float(2)).ceil - questions.each_slice(size).to_a.each do |group| = partial "includes/layout/question_group", locals: { group: group } %section.feature-group.u-subtle-bg .container .row.flex-row .col-sm-6.col-md-3.col-lg-3 .feature.js-all-clickable .feature-media = image_tag "/images/feature-thumbs/feature-thumb-gdpr-blog.png", alt: 'GDPR blog post', srcset: "/images/feature-thumbs/feature-thumb-gdpr-blog_2x.png 2x" .feature-body -#%h3.feature-label Blog %h2.feature-title If you do business in Europe, you need to know about GDPR %p.feature-description = link_to "Read more", "/blog/2018/02/16/european-general-data-protection-regulation-law/", class: "feature-more" .col-sm-6.col-md-3.col-lg-3 .feature.js-all-clickable .feature-media = image_tag "/images/feature-thumbs/feature-thumb-security.png", alt: 'GitLab Security', srcset: "/images/feature-thumbs/feature-thumb-security_2x.png 2x" .feature-body -#%h3.feature-label Security %h2.feature-title GitLab Security Page %p.feature-description = link_to "Read more", "/security/", class: "feature-more" .col-sm-6.col-md-3.col-lg-3 .feature.js-all-clickable .feature-media = image_tag "/images/feature-thumbs/feature-thumb-gdpr.png", alt: 'GDPR', srcset: "/images/feature-thumbs/feature-thumb-gdpr_2x.png 2x" .feature-body -#%h3.feature-label GDPR %h2.feature-title GDPR Website %p.feature-description %a.feature-more{ href: "https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en", target: "_blank" } Read more .col-sm-6.col-md-3.col-lg-3 .feature.js-all-clickable .feature-media = image_tag "/images/feature-thumbs/feature-thumb-docs.png", alt: 'GitLab Docs', srcset: "/images/feature-thumbs/feature-thumb-docs_2x.png 2x" .feature-body -#%h3.feature-label Docs %h2.feature-title GitLab Dynamic Application Security Testing %p.feature-description %a.feature-more{ href: "https://docs.gitlab.com/ee/user/application_security/dast/", target: "_blank" } Read more