The General Data Protection Regulation (GDPR) is the European Union (EU) regulation governing the protection of personal data of EU citizens. The GDPR applies to all companies selling to and storing the personal information of European citizens. The overarching objective of the GDPR is to provide EU and European Economic Area (EEA) citizens with control over their personal data. Under the GDPR, personal data means any information relating to an identified or identifiable natural person. That definition is much broader than any US regulation and includes geolocation data, photos and videos, credit card details, medical records, personal and work emails, financial records, bank details, and IP addresses.


  • Does the EU GDPR apply to Agio?
    Agio currently acts as a processor for clients who act as controllers of personal data. Agio abides by the terms and principles in our controller agreements as they relate to personal data and GDPR.
  • Is Agio able to demonstrate compliance (have processes, policies, and records) with the principles outlined in the GDPR?
    Agio can attest to the policies, processes, and procedures outlined for processors.
  • How does Agio process an update or delete request from a controller relating to personal data?
    A service request case is created in Agio’s case management platform and processed using the operational procedures outlined in Agio’s SSAE-18 SOC 1 controls. Once the request is executed and completed, Agio will notify the client (controller).
  • Can Agio provide data portability for the controller’s personal data?
    Depending on the system, and how the controller stores personal data in those systems, Agio may be able to assist in porting the data to another system.
  • What processes does Agio have around sub-processors’ access to a controller’s personal data?
    Agio performs annual due diligence on each sub-processor to ensure they are compliant with all GDPR regulations and controls.
  • Are all employees who may have access to a controller’s personal data committed to data protection and privacy?
    All Agio employees are required to attest to the Written Information Security Policy  (WISP). This policy entails proper procedures for employees to better ensure the security and confidentiality of personal information, protect against any reasonably anticipated threats or hazards to the confidentiality or integrity of such information, protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud, provide for the classification of types of information and data that Agio employees come in contact with, ensure the proper disposal of corporate equipment and data, and ensure proper physical security of the Company’s operational locations.
  • Does Agio conduct privacy awareness/training for employees that may have access to a controller’s personal data?
    All Agio employees go through formal, mandatory security awareness training. Agio’s security team also provides user awareness seminars throughout the year regarding regulatory compliance.
  • Can Agio ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services?
    Agio has comprehensive Disaster Recovery and Business Continuity policies and procedures that are reviewed annually.
  • Does Agio maintain processes for regularly testing, assessing, and evaluating the effectiveness of its technical and organizational measures for ensuring the security of its processing?
    Agio undergoes independent SOC 1 Type 2 and 2 audits from an external audit firm to verify operational controls are in place and functioning as intended.
  • When experiencing a data breach containing personal information, is there a process to notify the controller?
    Agio has a comprehensive breach notification policy that is reviewed and updated annually. If there is a breach containing a client’s personal information, the client is notified of the incident. The timeframe in which a client is notified is based on the identification, severity, and impact of the data breach.
  • Does Agio have an assigned Data Protection Officer within the organization who is properly involved and notified in a timely manner of all issues that relate to the protection of personal data?
    All GDPR duties and requests are escalated to Agio’s Chief Compliance Officer (CCO) and Chief Information Security Officer (CISO) as well as to the Compliance team. Any request can be made by emailing


As Controller

  1. You are responsible for ensuring personal information is processed and protected in accordance with GDPR requirements.
  2. Ensure you have cataloged the types of personal information being stored and in which systems it is stored.
  3. Ensure requests from a data subject are directed to the processor in an appropriate and timely manner.


As Processor

  1. Notify controller of any data breach associated with a controller’s personal information.
  2. Only act on documented requests from the data controller.
  3. Ensure contractual obligations to the controller are met.
  4. Respond promptly to instructions from the controller regarding a data subject’s request/s.


  • Determine its application. GDPR may apply to you even if you don’t have operations in the EU.
    Consider the following questions:
    – Do you offer goods and services to EU residents?
    – Do you rely on third parties that store or transmit data to/from the EU?
    – Do you collect, transmit, or process data pertaining to EU residents?
    – Do you have employees who are EU citizens (including employees with dual citizenship)?
  • Review systems, policies, and procedures.
    Are your current policies and procedures sufficient to meet GDPR requirements? Examples of what needs to be reviewed include HR onboarding and offboarding, third parties’ processing, incident response and breach notification, encryption at rest, and mobile device management.
    – What kind of data does your organization hold or process?
    – Where is that data stored, and how is it protected?
  • Identify and prioritize your risks and gaps related to the GDPR.
    An individual can request that you provide all data maintained about them AND request detailed information about how that data is protected.
    – Do you have data subjects’ rights, policies, and procedures in place to handle requests by a data subject (e.g., for deletion of personal information)?
  • Develop breach notification and incident response plans.
    The GDPR imparts a duty to report certain types of personal data breaches to the supervisory authority within 72 hours of becoming aware of a breach.
    – Do you have policies and procedures implemented to handle this occurrence?
    – Does your staff know how to escalate a security incident to the appropriate person/team to determine whether a breach has occurred?
  • Create a culture of compliance.
    – Has your staff been trained on the importance of data protection and on any new processes that were implemented to comply with the GDPR?
    – Do you have a cross-functional team (e.g., IT, Legal, Compliance, Finance, HR) in place to ensure processes are implemented properly across the organization?

Interested in knowing how we’re staying compliant with our in-depth Agio GDPR Compliance Matrix?

Talk to Us