Sumo Logic: What can you learn from our approach to GDPR?

Sumo Logic was founded in 2010 by experts in log management, scalable systems, big data, and security. Today, their purpose-built, cloud-native service analyzes more than 100 petabytes of data, more than 16 million searches, and delivers 10s of millions of insights daily – positioning Sumo among the most powerful machine data analytics services in the world.

In this podcast, George Gerchow, CSO with Sumo Logic, talks about their approach to GDPR.

Here’s a transcript of the podcast for your convenience.

Hi my name is George Gerchow, Chief Security Officer with Sumo Logic. Sumo Logic is a company that was created in AWS, so AWS native. We do big data and security analytics, full multi-tenant solution build on micro services.

We take regulatory compliance regulation and security very seriously because, as customers are moving their data to the cloud, there’s going to be a lot more scrutiny around security and we want to give them that level of trust and comfort that we’re taking care of their data. And so, compliance and regulatory requirements have been around for a long time for us.

You know, we’re in our fourth year of ISO 27001, which is key and its saying something once you’re in your fourth year, fourth year of SOC II, we’re doing PCI for our fourth year as well too, HIPAA, and then GDPR emerged on our roadmap about 2 to 3 years ago. So, we were already doing things like the EU Privacy Shield to prove our data sovereignty, but we wanted to mature in the space not only around GDPR, but mainly around privacy, because we know that every country, every nation state is going to have different regulations around privacy. So, we took GDPR as kind of a springboard or a launching point to start doing a few key things.

The first one was, we went out and hired a Data Protection Officer or a DPO. So, this individual, she has a tremendous compliance background, but as well as a privacy background, and so we wanted to make sure that she was a good fit for our company. Her name is Jen Brown, and we brought her in as a contractor, she walked through our payment credit card industry audit with us two years ago, did a great job, and then we handed over our privacy by design program to her. And that was the first thing she did, was mature our privacy program to where any time a new regulation comes out, all we have to do is a gap analysis as to what we currently have today, then either accept the risk or remediate to adhere to that new regulation. So, getting a DPO in place was critical.

Then we look at automating as many functions as we could. So DPAs, data protection addendums or agreements, were starting to hit our environment nonstop. So as the DPAs started hitting our environment, we wanted to minimize the, what we like to call paper DDoS attack, of having these things come in to where then we’d have to go with legal, redline, go back and forth, very disruptive to an organization. So we created our own DPA and we actually put it on a self-service portal. All NDA wrapped to where a potential customer prospect could then go and access the DPA, sign off on it and we’d sign up on it on our side, so that piece of automation was key.

Another piece that we automated was DSR or around data subject rights, and so what we did was we built a portal to where now customers and prospects you know could come in, or anyone in our system could come into our data subject access rights portal or DSR, and just identify every customer or what their relationship is with Sumo Logic, put in their contact name, country of residence. And then you know, anywhere from articles 12, which is transparent information communication and modalities for the exercise of rights the data subject, or down to Article 23 which is restrictions, they could select what article and then request their details as to right to erasure, and then submit it back to our organization. And again, that just cut down on having individuals working this all day long and back-end ticketing systems. So, this is kind of automation was key. And again this goes way beyond the GDPR, this is very much focused on privacy.

A little bit of tech that we did, that we brought in, was around Article 30. So, this was also a great learning opportunity, and one of the advantages I believe in GDPR and privacy is working with each line of business to determine how they’re handling data. So, anywhere from finance, to HR, to marketing, you know just walking through the exercise of them of – now get you know a customer prospect’s data or someone who you’re hiring. How is it that that data is handled? Where’s it stored? What are the different things that you do?

And then helping them make it not only more secure, but in my mind the more important thing is more efficient. You know this is a world of efficiency and agility when you go to market. And so, we really help them make it more efficient in a much more secure manner, and then opened up the kimono, where we’re very transparent across the organization, and externally as well too, as to how data is being handled.

So, when I take a step back I mean I think that we’re very mature where we are with GDPR, but I would say that the three biggest things that we did, and have done, and will continue to do moving forward, you know number one is the engagement of the DPO. The second piece is automated functions of things like a DPA or data processing agreement or addendum. And then the third one is really inspecting organization and doing training and awareness around the handling of data. Those are three big key things that you can do.

The other one is, you know, it’s always about transparency and best level of effort. So, you’ve always asked me: “Ok, so what are you guys doing in the future when it comes to privacy or GDPR?”

One of the big things that for us, that we’re getting ready to knock out in the next month or so, is a DPIA, or a data protection impact analysis, and we’re doing that through a third-party audit company. And again, that’ll just show due diligence on our side.

Even though there’s not a certificate you can hang on a wall that says “I am GDPR compliant,” It will show due diligence and a level of effort that we think goes beyond what most organizations are doing today. Just to validate the amount of work that we’re putting into this, and the seriousness behind it. So, that’s going to be a major step for us moving forward into the future. And then we’re also, with the self-service portal I mentioned, we’re also gathering stats on what people want to see.

So, whether it’s BDSG out of Germany, or IRAP out of Australia, we’re letting customers and prospects request to us, through self-service, all automated on the back-end via Slack, what they want to see in the future. And so this will help drive our budget and a roadmap for our team moving forward.