PRGN-02

Does your solution process GDPR-related or PIPL-related data?

Explanation

This question is asking whether your software solution processes personal data that falls under two major privacy regulations: the European Union's General Data Protection Regulation (GDPR) and China's Personal Information Protection Law (PIPL). GDPR applies to personal data of individuals physically located in the European Economic Area (EEA), which includes EU countries plus Iceland, Liechtenstein, and Norway. PIPL applies to personal data of individuals located in China. Why this matters in a security assessment: 1. Legal compliance requirements: If your solution processes data covered by these regulations, you must comply with specific requirements for data protection, user consent, data subject rights, and breach notification. 2. Risk assessment: Processing regulated data increases your compliance risk and potential liability. 3. Security controls: These regulations require specific security measures to protect personal data. 4. Cross-border data transfers: Both regulations have restrictions on transferring personal data outside their respective jurisdictions. How to best answer: - Be honest and specific about what types of data your solution processes and from which regions - If you do process such data, be prepared to explain your compliance measures in follow-up questions - If you're uncertain, it's better to assume you do process such data if there's any possibility users from these regions could use your system - Consider whether you have geofencing or other mechanisms to prevent processing data from these regions if you don't want to comply with these regulations

Guidance

GDPR data includes any data related to an identified or identifiable natural person physically located in the European Economic Area (EEA). PIPL-related data includes any personal data related to an identified or identifiable person located in the People's Republic of China (PRC)

Example Responses

Example Response 1

Yes, our solution processes both GDPR and PIPL-related data We have customers in the European Economic Area and China, and our platform collects personal information including names, email addresses, and usage data from users in these regions To ensure compliance, we have implemented comprehensive data protection measures including data minimization practices, encryption of personal data at rest and in transit, and mechanisms for users to exercise their data subject rights We have also appointed Data Protection Officers for GDPR compliance and local representatives in China for PIPL compliance Our legal team regularly reviews our privacy practices to ensure ongoing compliance with both regulatory frameworks.

Example Response 2

No, our solution does not process GDPR or PIPL-related data We have implemented strict geofencing controls that prevent users physically located in the European Economic Area or China from accessing our services Our terms of service explicitly prohibit use of our platform by individuals in these regions, and we employ IP-based access controls to enforce these restrictions We regularly audit our user base to confirm we are not inadvertently collecting data from individuals in these jurisdictions Should our business strategy change in the future to include these markets, we would first implement the necessary compliance measures for GDPR and PIPL.

Example Response 3

Partially Our solution processes GDPR-related data as we have customers in the European Economic Area, but we do not currently process PIPL-related data We have implemented a regional restriction that blocks access from China-based IP addresses and have no customers or users in China For our GDPR compliance, we maintain records of processing activities, have implemented appropriate technical and organizational measures to protect personal data, and have data processing agreements in place with all our sub-processors We recognize that we cannot meet the current requirements for PIPL compliance, which is why we have chosen not to operate in the Chinese market at this time.

Context

Tab
Privacy
Category
General Privacy

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron