As of May 25, 2018 the ‘General Data Protection Regulation’ or GDPR was enforced across all EU member states. This compliance regulation unified legislation around how personal data is used and managed, leading to more standardized protections for all. Under GDPR, consumers will benefit from increased privacy protections for their personal data.
Training and privacy awareness
All Hancock employees have been given GDPR training, overseen by our on-site compliance team. Training sessions are conducted upon hire for all new employees and annually thereafter.
Data mapping and privacy impact assessment
To verify that our privacy practices are appropriate, Hancock conducted an initial data mapping exercise. This included a Privacy Impact Assessment (PIA) to assess how we collect, process, and store personal data and determine potential privacy impacts.
Information security policies
Hancock has informational security and data protection policies governing how and when employees and contractors can access your data.
Hancock participates in and has certified its compliance with the EU-US Privacy Shield Framework. Hancock is responsible for the processing of personal data it receives, under each Privacy Shield Framework, and subsequently transfers data to a third party acting as an agent on its behalf. Hancock complies with the Privacy Shield Frameworks for all onward transfers of personal data from the EU, including the onward transfer liability provisions.
Our Incident Response procedures have been designed and tested to ensure potential security events are identified and reported to appropriate personnel for resolution, personnel follow defined protocols for resolving security events, and steps for resolution are documented and reviewed by the Security Team on a regular basis. Additionally our policies and procedures include breach notification for if and when a security incident involves the loss of or unauthorized use of personal identifiable information (PII).
Our Software Development Lifecycle (“SDLC”) ensures that System changes are performed in accordance with GDPR requirements, including considerations for Privacy in the following areas:
All our current sub-processors are reviewed on an annual basis to ensure they meet security and privacy requirements.
Hancock created a GDPR-compliant Data Processing Agreement should you require one. Please feel free to reach out to email@example.com to inquire about a Data Processing Agreement.
List of authorized sub-processors
At Hancock, we understand the serious ramifications of compliance and have diligently built processes to make our service compliant with the standards which govern your business. Hancock is compliant with the following:
By default, communication with our services uses Transport Layer Security (TLS), which is regularly updated to use the latest ciphersuites and TLS configurations. Additionally we encrypt all customer data at rest using AES-256.
Data deletion and access
GDPR gives consumers the legal right to request access to and request the deletion of personal data stored by a company. We do allow our customers to delete their data from our products whenever processing is complete, legally binding retention requirements are met, and all parties associated with the artifact in question have agreed to its deletion. Please feel free to contact firstname.lastname@example.org to initiate a data deletion event.
At Hancock we mostly use "session cookies" that are automatically deleted after each visit. These cookies permit us to recognize users and avoid repetitive requests for the same information. However, cookies can be uniquely attributed to a device and therefore they are capable of identifying an individual. As such, we've reviewed all of our cookies to ensure the required consent is gathered and that they are treated as PII when appropriate.