GDPR and what it means for you
Effective as of May 25, 2018 the GDPR replaced the former EU Data Protection Directive. Unlike the Data Protection Directive, the GDPR has a direct effect in all EU member states without any need for local implementing legislation and overrides previously existing national privacy laws.
Besides strengthening and standardizing user data privacy across the EU nations, the GDPR requires new or additional obligations on all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located.
Whenever the GDPR applies to our customers they are deemed the controller of the personal data included on the Coupa platform and Coupa is deemed the processor. As such, both Coupa and our customers have to comply with their respective obligations under the GDPR accordingly. One side of these obligations relates to the controller-processor relationship, while the other side relates to the controller obligations vis-à-vis the data subject, typically the user of the Coupa platform (i.e. employees, contractors and partners of our customers).
We expect our customers and their users to comply with all applicable laws and regulation in connection with the use of the Coupa platform, in particular making sure, that our customers have all rights and consents necessary to allow Coupa to use and process such data.
As a service provider, Coupa is committed to supporting our customers in their compliance activities, including as outlined in GDPR Chapter III (Rights of the data subject), most notably the rights of access and rectification (Art. 15 + 16 GDPR), right to erasure or ‘right to be forgotten’ (Art. 17 GDPR), right to data portability (Art. 20 GDPR), and right not to be subject to automated decision-making, including profiling (Art. 22 GDPR).
Living GDPR @ Coupa
Data privacy is at the heart of Coupa’s operating model. Our existing Coupa compliance program is comprehensive and based on globally accepted standards. It includes compliance certifications such as ISO 27001, SOC1, SOC2 and the TÜV Rheinland Certified Cloud Service. In light of the GDPR, our Legal, Security, Cloud Operations and Product teams have operated a Coupa GDPR readiness project where a dedicated group of internal & external compliance experts have worked diligently towards meeting the May 2018 deadline. The same team continues to support GDPR compliance and keeps an eye on new developments in the market.
Top 5 Priorities for GDPR compliance
(*The following section refers to the Gartner Blog “Smarter with Gartner” on GDPR)
Gartner lists the top 5 priorities for organizations to focus on to ensure compliance when GDPR applies to them.
Below we explain Coupa’s position relating to these priorities:
#1 - Determine Your Role Under the GDPR
As a cloud-based spend management provider, Coupa is processing data on behalf of its customers using the Coupa platform; therefore, Coupa is seen as a data processor under the GDPR. In light of existing data privacy laws and data security measures generally expected from a global cloud service provider such as Coupa, we have implemented an information security program consisting of policies and procedures to help ensure that Coupa is acting in accordance with current and new compliance requirements when providing our services.
#2 - Appoint a Data Protection Officer
The GDPR requires some organisations to designate a Data Protection Officer (DPO). Organisations requiring DPOs include public authorities, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organisations who process what is known as sensitive personal data on a large scale. At Coupa we have appointed a DPO in line with the GDPR.
#3 - Demonstrate Accountability in All Processing Activities
Our Coupa compliance program is already comprehensive and based on globally accepted standards. Its effectiveness is periodically attested to by 3rd parties under various compliance certifications (e.g., ISO 27001, SOC1, SOC2). Coupa has implemented an information security program consisting of policies and procedures that define how system information is entered, managed, and protected. Coupa’s current information security program is further specified in our Master Subscription Agreement (MSA) as well as our Data Processing Agreement (DPA). In particular, Coupa commits to monitor, analyse and respond to security incidents in a timely manner in accordance with Coupa’s standard operating procedure, which sets forth the steps that Coupa employees must take in response to a threat or security incident. Coupa continues to invest in a growing global security team, a group of well trained and experienced talents with industry expertise that includes technical, policy and legal experts in combination with a strong network of external specialists.
#4 - Check Cross-Border Data Flows
#5 - Prepare for Data Subjects Exercising Their Rights
Within the Coupa platform, our customers use the personal data of their users to interact with each other in order to better manage their spend. These acting individuals are the data subjects and our customers - acting as data controllers - need to be able to answer certain legitimate requests under the GDPR. As such, our customers will look to Coupa as service provider and data processor to offer functionalities within the Coupa platform that enable our customers to achieve compliance. Our internal product design processes are focused on the user and their positive and productive experience on the Coupa platform. In light of GDPR, Coupa periodically reviews the Coupa platform features in order to validate that the Coupa platform provides the required functionalities to our customers.
Ensuring the privacy and security of our customer’s data is an ongoing commitment for Coupa. We will update this website to reflect any GDPR-related developments. If you have any questions, please contact us via e-mail ([email protected]).
Additional Coupa ResourcesCoupa GDPR White Paper
Coupa Security Data Sheet
Coupa Security Policies on success.coupa.com
Legal Disclaimer - This website is provided for informational purposes only and should not be considered as a contractual commitment or legal advice and does not discuss other privacy-related laws or regulations that may also be relevant to our customers and prospects, including any industry specific requirements. The relevant privacy and data protection laws and regulations applicable to individual companies will depend on several factors, including but not limited to where a company conducts its business, the industry in which it operates, the type of content it wishes to store, where or from whom the content originates, and where the content will be stored.