The European Union’s (EU) General Data Protection Regulation (GDPR) is set to take effect May 25, 2018. Now is a good time to discuss the capabilities Plex offers to help customers meet their GDPR obligations.  

What is GDPR?

In its most basic description, GDPR is a regulation designed to bring together and align various data protection laws across Europe. GDPR establishes the rights of EU persons to have a degree of control over their personal data and sets responsibilities for companies controlling or processing that data.

Sharing of Responsibilities Under GDPR

It is important to take some time to understand GDPR and your company’s responsibilities under the new regulation. GDPR defines two roles that establish the responsibilities for entities involved in data privacy: the controller and the processor. Per the GDPR FAQs page, a data “controller is the entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.”

Below we will discuss Plex’s role as data processor and describe the various protections we have in place to help support your needs.

Plex as the Data Processor

Plex offers protections in two distinct areas as data processor: Security & Audits and Privacy. Specifically:

Security & Audits

Plex maintains industry standard security over the data it processes. We undergo annual SOC 2 audits covering the security, confidentiality, availability, and data processing integrity control principles. Plex also undergoes annual SOC 1 audits.

Plex also maintains a security incident response plan that includes notification of impacted customers if their data is compromised. Plex ensures this plan supports the requirements established by GDPR.

Privacy

Plex works with a third-party privacy consulting firm called TrustArc (formerly TRUSTe) in the design and verification our privacy program, policies, and websites including the Plex Manufacturing Cloud. Our program is designed to meet the needs of customers worldwide, including the European Union. 

Plex also assesses risks associated with vendors, including risks associated with privacy. For vendors that may come into contact with personal data, we verify their security controls and relevant positions on privacy (including adherence to Privacy Shield, for example).

Customer as the Data Controller

While Plex has data processor responsibilities under GDPR, customers are responsible for GDPR compliance requirements set forth for data controllers. It is important to carefully review your responsibilities via some of the many resources available online. Important responsibilities include:

Collecting Consent: For EU citizens whose personal data Plex customers collect, customers are responsible for collecting consent to process that data.

Right to be Forgotten: EU citizens will have the right under GDPR to have their personal data deleted. Plex customers can use Plex to delete records of employees if requested. 

System Access: PMC can be configured to restrict user access in accordance with customer policies. 

Activity Logs: PMC logs user account activity and reports are available to monitor user actions. Plex recommends customers conduct careful review of audit and security audit reports, including PMC activity audit log reports.

Security, Compliance, and Communication

As with all relevant regulations and standards, Plex takes its customers’ and its own security, privacy, and other compliance requirements seriously. Plex is dedicated to ensuring our cloud services remain a trusted tool for our customers. We will continue to share information related to GDPR and other security and regulatory issues as they come to our attention. Please do reach out to Plex via the Customer Community or your CSM if you have related questions.