Compliancy

The Élan Secure Cloud platform provides Media Services’ customers with the control mechanisms and high level certifications needed to address a wide range of compliance requirements. All data-center compliance examinations are conducted by an independent, licensed CPA firm, QSA, and accredited ISO 27001 certification body by ANSI-ASQ National Accreditation Board (ANAB).
Elan Cloud Solution Details
Elan Cloud Policy Package


AICPA logo

SOC1 and SOC2 are attestation standards issued by the American Institute of Certified Public Accountants (AICPA) that addresses examination engagements for service providers.

Each year, an external auditing firm completes SOC1/SOC2 Type 2 reviews of all Élan managed data centers. The report provides our customers with assurance of corporate controls, including security and environmental compliance, and validation of Media Services’ commitment to the most stringent standards of excellence in our data center operations.

Links:
ISO/IEC logo

The ISO/IEC 27001:2013 certification is one of the most stringent certifications for information security controls, and confirms the information security controls and other forms of risk treatment are in place to detect and defend against potential data system vulnerabilities.

Élan Secure Cloud data centers have achieved the International Organization for Standardization certification (ISO 27001) covering both corporate policies and procedures. This prestigious, internationally-recognized certification reflects our commitment to provide Media Services’ customers around the globe with secure, reliable, and high-performance hosting solutions.

Links:
PCI Compliant logo

The Payment Card Industry Data Security Standard (PCI-DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is administered by the Payment Card Industry Security Standards Council.

Media Services Group (MSG) maintains strict adherence to PCI-DSS standards used in the housing and processing of payment card activities. An external assessment is completed each year by a Quality Service Assessor (QSA) to validate Élan hosting compliance with the Payment Card Industry (PCI) Data Security Standards (DSS). The scope of this assessment includes physical security and related policies at our managed data center facilities. Media Services also completes external vulnerability assessments by an Approved Scanning Vendor (ASV) quarterly.

Links:
ITIL logo

ITIL is a set of detailed practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ITIL requires extensive documentation, certified staff, and alignment with industry best practices.

All Elan operations are aligned with the Information Technology Infrastructure Library (ITIL) framework to ensure efficient, best-practice integration of IT services with our customers business needs. All Élan data-centers maintain ITIL certified staff from Foundations through Expert to ensure proper IT Service alignment, optimizations and operates under the most recent version, ITIL v2011.

Links:
ntis logo

NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Management Act (FISMA).

Élan Secure Cloud infrastructure is built upon security and NIST standards that meets or exceeds FBI, State Identification Bureaus as well as the Criminal Justice Information Services (CJIS) Security Policy mandates. Alignment to NIST 800-53 is performed within Media Services at all levels, from the requirements to use FIPS standards to the physical access requirements for data center access.

Links:
ntis logo

The EU-US Privacy Shield is a framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes is to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens.

The Élan Secure Cloud operates and fully conforms to the EU-US Privacy Shield framework ensuring that customer data is correctly maintained and handled, proper notification and privacy protections are in place and data sovereignty is enforced.

Links:
ntis logo

Information Commissioners Office or ICO maintains the privacy rights and protections for entities operating within the United Kingdom (UK). ICO requires that organizations operating within the UK conform to privacy and data protection regulations

Full registration is maintained by Media Services Group.

Links:
ntis logo

The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.

Media Services GDPR Statement

European Union’s General Data Protection Regulation:

The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It replaces the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe.

For the purposes of GDPR, and regarding the Processing of personal data, Media Services customer is the Data Controller, which is the organization that determines the purposes and ways personal data is processed. Media Services, as an SaaS (Software-as-a-Service) provider, is the Data Processor, which is the organization that processes personal data on behalf of the Data Controller.

Statement of Direction on GDPR – April 2018

The following is Media Services Statement of Direction regarding support of the EU GDPR regulation. It is intended to outline the measures Media Services has taken as a Data Processor to assist our customers in their efforts to comply with GDPR requirements as a Data Controller. The development, release, and timing of any features or functionality described is at Media Services discretion.

Commitment to the GDPR (Privacy by design)

Media Services will comply with applicable GDPR regulations as a data processor when they take effect on 25th May 2018. Working in conjunction with our customers, we will explore opportunities within our product and service offerings to assist our customers to meet their GDPR obligations.

What do you need to know?

About who it effects:

It affects any organization that deals with EU citizen or resident data, not just organizations within the EU — many publishers outside the EU interact with European members.

About Consent:

You need to have a legal basis, like consent, to process an EU citizen's personal data. Under the GDPR, you may use another legal basis for processing personal data, but we anticipate that most Media Services customers will rely on consent. This consent must be specific and verifiable. Verifiable consent requires a written record of when and how someone agreed to let you process their personal data. Consent must also be unambiguous and involve a clear affirmative action. This means clear language and no pre-determined choices.

About Individual Rights:

The GDPR also outlines the rights of individuals around their personal data. EU citizens will have the right to ask for details about the way you use their personal data and can ask you to do certain things with that data. You should be prepared to support people's requests in a timely manner. People have the right to request their personal data be corrected, provided to them, prohibited for certain uses, or removed completely. You should also be able to tell someone among other things, how their personal data is being used. If they ask, you’re obligated to share the personal data you hold on an individual or offer another way for them to review it.

About GDPR Data:

The definition of personal data is broad and may cover, but not be limited to, professional, public life and private life activities and includes everything from names, postal addresses, images, electronic messaging addresses to IP addresses, posts on social networks, medical information and more.

About Data portability:

The GDPR includes certain requirements on data controllers for the portability of personal data. The data our customers store in Media Services products is theirs. We provide for portability and are continually working to enhance the robustness of our data export capabilities

What is Media Services doing about the GDPR?

Media Services began to dedicate internal resources to GDPR in March 2017, a full year before the deadline. We did this because we value our customers (and their customers) rights to privacy. Compliance with and to international law and regulations are very important to us.

The following is a condensed version of our GDPR Roadmap and where we currently stand:

• Thoroughly research the areas of our products and services impacted by GDPR - COMPLETE
• Develop a strategy and requirements for how to address the areas of our product impacted by GDPR - COMPLETE
• Perform the necessary changes/improvements to our product based on the requirements analysis - COMPLETE
• Thoroughly test all changes to verify and validate compliance with GDPR - IN PROGRESS
• Implement the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR - IN PROGRESS
• Media Services has also engaged with numerous outside resources on our approach. We felt this was and will be very important because the legislation is so new and far reaching.

What does this mean for our customers?

We understand that meeting GDPR requirements will take a lot of time and effort, and as your partner, we want to help make your process as seamless as possible. Some of our product enhancements are about to make things easier for you:

Elan Changes to support GDPR (2018.2 Release - Scheduled for May 16th 2018)

• Art. 12 - Transparent information, communication and modalities for the exercise of the rights of the data subject
    o Data-Controller can review content of new Data Review screen with Data Subject over phone, or email for review and correction via the
    The Personal Data Report
    o The Personal Data Report can be modified by Data-Controllers and includes standard templates to get you started

• Art. 13 - Information to be provided where personal data are collected from the data subject
   o Data-Controller can review content of new Data Review screen with Data-Subject over phone, or email for review and correction via the
    The Personal Data Report
   o Procedures will be identified in 2018.2 documentation for controllers to ensure Ecommerce sites/Emails/etc. contain appropriate notices/consents

• Art. 14 - Information to be provided where personal data have not been obtained from the data subject
   o Data-Controller can review content of new Data Review screen with Data Subject over phone, or email for review and correction via
    The Personal Data Report
   o Procedures will be identified in 2018.2 documentation for controllers to ensure Ecommerce sites/Emails/etc. contain appropriate notices/consents
   o Key sourcing information is contained within sub-sections of new Data Review screen (where available, information can be conveyed to data-subject upon request)

• Art. 15 - Right of access by the data subject
   o Data-Controller can email information to data-subject via The Personal Data Report

• Art. 16 - Right to rectification
   o Data-Subject can review information sent via The Personal Data Report and provide changes to Data Controller (confirmation of changes is tracked via resend process)
   o A complete Audit-Trail is maintained viewable within new interfaces

• Art. 17 - Right to erasure (‘right to be forgotten’)
   o Data-subject requests to be forgotten are fulfilled by Data-Controller via Personal Data Consent interfaces.
   o This sub-screen triggers PII data removal within scope
   o A complete Audit-Trail [Popup Audit.png] is maintained viewable within new interfaces

• Art. 18- Right to restriction of processing
   o Data-subject requests to restrict processing (e.g. email blasts) are fulfilled by Data-Controller via new Personal Data Consent interfaces

• Art. 20 - Right to data portability
   o The Personal Data Report can be generated from the new Data Review screen and emailed to Data-Subject by Data-Controller

• Art. 21 - Right to object
   o It is the responsibility of the Data-Controller to stop processing the personal data unless the controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject
   o Where possible within the software, Media Services has blocked use of Data-Subject based on Right of Restriction selections by the Data-Subject

What should you do to be GDPR-ready?

  • Create a data privacy team to oversee GDPR activities
  • Review current security and privacy processes
  • Upgrade to Elan GDPR compliant release 2018.2 as soon as available (currently scheduled for release May 16th 2018)
  • Analyze what Personally Identifiable information is being processed, stored, retained in Elan via the new Data Review interfaces
  • Review and update Consent for your customers - If you rely on consent to process customers personal data, double check whether the consent that you previously obtained meets the GDPR's standards (see links below)
  • Establish procedures around the new GDPR interfaces to respond to data subjects requests when they exercise their rights

Media Services Role as a Data Processor

Media Services will follow instructions received from our customer’s in their role as Data Controllers with respect to personal data unless those instructions are

(i) legally prohibited or (ii) require material changes to the Software. In addition, Media Services will reasonably support Data-Controllers in addressing requests from Data-Subjects or regulatory authorities regarding Media Services processing of personal data.

If Media Services cannot comply with an instruction or if there is a billable cost to comply with the instruction, Media Services will promptly notify the Data-Controller.

Future Releases

Media Services is continuing to evaluate all GDPR requirements and will consider additional GDPR-related features as we update our Product Roadmap for each release.

Next Steps

In preparation for the 2018.2 Release, Media Services will provide our usual release documentation and training. We anticipate that Media Services customers’ will be able to configure and utilize the new GDPR functionality themselves. If you require assistance, Media Services can assist you via standard support methodologies

Questions

Inquiries related to this document and related policies can be directed to Helpdesk@msgl.com.

Links: