CyberArk controls what data we collect about our employees and how we use it. Therefore, we are the controller.
If we use a SaaS Solution to help us do this, for example SuccessFactors, they are acting as processors for CyberArk.
Home
Part 1 / 5
CyberArk must comply with numerous data protection rules and regulations, some of which will be covered in this course.
Given the nature of our business, we are held to a higher bar by our customers, investors and the general public.
If we ever suffered a serious security breach, the actions we take โ every day, over many years before โ can protect us and our customers from the worst effects of the breach.
CyberArk also recognizes and respects the importance of our obligations to you and your colleagues, the people whose data we use in our role as your employer.
Next:
Previous
Part 2 / 5
There are lots of other privacy rules and regulations around the around the world, such as in Israel, California, Singapore and Australia. But generally, following the GDPR globally is considered a best practice in our industry and thatโs why we focus on it.
๐ฑ๏ธHover over the region you work in to find out if GDPR can apply to CyberArk there.
GDPR governs how you can use the information you have about people.
Information about people is called personal data, personal information or PII.
For instance, our Endpoint Privilege Manager stores usersโ names, email addresses and other data. Our CyberArk Mobile app (formerly, Alero) asks users for their personal information, and sometimes even their photo. These are all examples of personal data.
CyberArk holds lots of personal data about us: CyberArk employees and employment candidates.
For example, in our HR records: ID/passport number, family members, personal phone, professional qualifications, photo, and many more examples.
What do you think? Is the address Jenny.Doe@cyberark.com personal data?*
Yes
No
Correct
This email address relates to one person, and therefore is personal data.
GDPR defines personal data very widely. Avoid the misconception that work-related data, like a work email address or username, cannot be personal data.
Incorrect
This email address relates to one person, and therefore is personal data.
GDPR defines personal data very widely. Avoid the misconception that work-related data, like a work email address or username, cannot be personal data.
What do you think: does an organization like ours โ that serves businesses and not individuals โ actually process personal data about our customers?*
Yes
No
Correct
Well, we do.
As weโve seen, processing is a VERY broad concept. So, any personal data that we, our infrastructure, systems or products access, use, hold, transfer etc. is being processed by us. Pretty much anything else you can think of regarding use of personal data is processing. Everything.
Incorrect
Well, we do.
As weโve seen, processing is a VERY broad concept. So, any personal data that we, our infrastructure, systems or products access, use, hold, transfer etc. is being processed by us. Pretty much anything else you can think of regarding use of personal data is processing. Everything.
CyberArk controls what data we collect about our employees and how we use it. Therefore, we are the controller.
If we use a SaaS Solution to help us do this, for example SuccessFactors, they are acting as processors for CyberArk.
When we do that, we use a personโs email โ which is personal data. Weโre doing this under our own control and for our own purposes, not because another organization is paying us to do that or because our product is designed to do that. Therefore, we are the controller of that data.
.
So you see that SaaS and many other vendors that process information on CyberArkโs behalf are therefore the processor, where CyberArk is the controller.
In just the same way, CyberArk is the processor for our customers when it comes to data we process on their behalf, for example our SaaS products or when we receive personal data as part of our support and maintenance services.
By receiving and dealing with personal data on behalf of our customers, we are helping them do things they might not be able to do alone. But the customers are the ones who decide they want the data to be dealt with in that way.
And when our customers want us to stop processing data theyโve given us, they can simply tell CyberArk to discontinue any processing and even direct us to erase the data. We generally canโt refuse to follow the customersโ directions regarding personal data.
In any case, we canโt use customer data for purposes other than as required to provide our products and services.
Lawfulness
This means that processing personal data is only allowed if one of the lawful reasons set out in the GDPR applies. We must process it in a fair and transparent way.
Here are some examples for lawful reasons:
However, in order for the โlegitimate interestโ justification to apply, the processing must not have too big of an impact on the privacy of the individual and we need to document our fair reasoning on this. After all, we may have a legitimate interest in using the data, but the law recognizes that the person whose data it is may have an interest in our not doing so.
Data Minimization and Purpose Limitation
You need to limit data processing to what is necessary in order to achieve the purpose you obtained the personal data for in the first place. If you can fulfill the purpose with less personal data, you should use only what you need.
Accuracy
Delete or correct inaccurate personal data and keep it up to date if necessary.
Integrity and Confidentiality
Ensure appropriate security and prevent damage to the data or its destruction.
Storage limitation
Destroy or anonymize personal data that is no longer required.
GDPR may apply when CyberArkโฆ Select all the correct answers*
Correct
Well done!
Not exactly
GDPR apply when we store data about employees and when we collect personal information about prospects or existing customers.
Which of the following steps does data minimization require us to take?*
Correct
Well done!
Wrong answer
To minimize Data we must only collect the minimum personal data required.
To complete this training module, please make sure you have reviewed all sections and answered all questions.
Next:
Previous
Part 3 / 5
The GDPR gives government regulators the power to impose fines in the tens of millions of dollars and more, for processing peopleโs data improperly. And the regulators have not been slow to use this power. In the last couple of years, there have been several headline-grabbing fines, and these are likely to increase over time.
Here are a few examples of recent fines that regulators have imposed, that can teach us practical and important lessons about what not to do. Note that these are not the largest fines there have been, but they are some of the events we can learn significant lessons from.
Germany
A German company was fined $16m, even though its Privacy policies and procedures were completely legal. However, they failed to follow the policy well enough.
Luxembourg
A Luxembourg multinational corporation was fined over $880m for targeting people for advertising purposes without having a legal basis in place.
USA
A US multinational company was fined $57m, as the privacy policy on their website was not sufficiently clear and because they performed ad personalization without valid consent.
Italy
An Italian company didnโt follow individualโs unsubscribe requests, even though they had a good internal procedure on how to do that, and was fined $13m.
Austria
An Austrian company was fined $21m for building profiles of individuals for their own commercial purposes.
Remember our CyberArk value: Whatโs Best For CyberArk. It will never be worth risking our good name and so much of our business.
CyberArk is a company whose business is to secure information โ so itโs essential that our customers trust us. They expect us to meet the highest standards of privacy and data ethics, in keeping with our CyberArk value of being customersโ Trusted Expert.
An investigation by a privacy regulator โ and sometimes by more than one regulator โ is typically extremely detailed and time consuming; they can take years and require an enormous amount of engagement at all levels of the company, and can involve negative publicity for a company. Simply having an investigation by a regulator, let alone a fine, could significantly damage our reputation, and potentially have a direct impact on our sales.
Next:
Previous
Part 4 / 5
Which of the following are personal data? Select all the correct answers *
Correct
Well done!
Not exactly
Information about employeesโ family members and e-mail addresses are considered personal data under the GDPR. Laptop models (provided the laptops are not linked with employee details) and business addresses are not.
When planning a new project requiring the collection of personal data, your colleague said that you should always rely on consent and cannot rely on your legitimate interests. What to you think? Is it true?*
True
False
Correct
You do not always need consent. You could rely on legitimate interest as justification for data collection and processing when you have a good commercial business reason that does not have too big of an impact on the privacy of the individual. Remember you must document your fair reasoning and check specific rules that may apply.
Incorrect
You do not always need consent. You could rely on legitimate interest as justification for data collection and processing when you have a good commercial business reason that does not have too big of an impact on the privacy of the individual. Remember you must document your fair reasoning and check specific rules that may apply.
Which of the following actions are required to comply with the GDPR? Select all the correct answers*
Correct
Well done!
Wrong answer
All of these actions are required by the GDPR.
To complete this training module, please make sure you have reviewed all sections and answered all questions.
Next:
Previous
Part 5 / 5
Remember that given the nature of our business, we are held to a higher bar.
To complete this training module, please make sure you have reviewed all sections and answered all questions.
Exit Course
