Meeting the GDPR challenge November 11, 2016 by Lewis Barr GDPR, personal data, privacy, security It is widely recognized among privacy professionals that the European Union’s General Data Protection Regulation (GDPR) is the most significant privacy legislation in many years, perhaps decades. GDPR awareness is now spreading beyond privacy conferences to the board room because of the regulation’s broad scope, contractual and operational impacts, and the significant risk management challenge it presents to companies needing to establish compliant practices by May 25, 2018 when the GDPR takes effect. Here’s what you can expect in greater liability exposure with the GDPR, especially in connection with vendors processing personal data on your behalf: The GDPR significantly adds to the protections for EU data subjects afforded by the existing EU Data Protection Directive, which it will replace, while authorizing record-level fines for non-compliance up to a maximum of 20,000,000 EUR or 4 percent annual global revenue of the preceding financial year, whichever is higher, for certain violations, and up to half those amounts for other violations. Under Article 32, both controllers and processors are required to “implement appropriate technical and organizational measures” considering “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.” The GDPR makes personal data controllers liable for the actions of their processors and responsible for compliance with the regulation’s personal data processing principles. Consequently, just as data controllers will be looking to make changes to become compliant before the regulation’s effective date, so too will they need their data processors to demonstrate compliance. For companies engaged in international commerce, including, but not limited to, those operating in the EU, the GDPR likely will set the standard not only for the treatment of personal data from the EU but other personal data processed with it. Why? Because a data controller will find it is easier and less risky to require each processor and its permitted subcontractors to abide by the more stringent GDPR framework for all the data being processed and will implement its processing oversight accordingly. Here at Janrain, we have been making changes to be in compliance with the GDPR and are excited about the opportunity it presents for us to showcase our leadership in securing and properly treating the personal data which our clients entrust to us. We are also looking forward to the opportunity to help our clients meet the GDPR challenge by offering them GDPR compliance-enabling tools and sharing best practices as we move forward. We are the only company among our direct competitors that has: A data protection officer or VP of Privacy (yes that is me), who reports to the CEO and leads the company’s compliance efforts. An independent certification by TRUSTe of its privacy practices, including its adherence to the Privacy Shield Framework. Successfully undergone a SOC2 Type II audit, having met the criteria for the Security, Confidentiality, and Availability Trust Principles. Janrain has implemented “appropriate technical and organizational measures” to protect data subjects’ rights as required under GDPR Article 32. For example, we have already established the following appropriate security measures suggested under Article 32: The encryption of personal data in transit and at rest (with transport layer security (TLS) and SSL certificates (of at least 2048-bits) and other measures to protect data in transit; keeping each client application instance and associated subject data isolated in its own logically discrete production environment; having unique session tokens, configurable session timeout values and password policies applied to prevent unauthorized access; encrypting data at rest in development, production and backup environments with full disk encryption; and storing passwords after being one-way hashed). The ability to ensure the ongoing confidentiality, integrity, availability and resilience of its processing systems and services (through a variety of safeguards, including data hosting replicated to several servers, data backup on hot servers and the capability to receive real-time notification of data subject record changes). The ability to restore the availability of and access to the personal data in a timely manner in the event of a physical or technical incident (with a tested Business Continuity and Disaster Recovery Plan). A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing (accomplished through its internal and external audits). We feel strongly that partnering with Amazon Web Services (AWS) for all our underlying hosting services provides us and our clients with the most secure and reliable data facilities available anywhere. In fact, in its August 2016 Magic Quadrant review of Worldwide Cloud Infrastructure as a Service, Gartner recognized AWS as the service leader. We have also implemented the following systems and programs to help us and our clients (using us as their data processors) meet the GDPR challenge: A cross-company, formal Information Security Management System (“InfoSec System”) of written policies, procedures and practices designed to secure client data and confidential information and to effectively assess, manage, and respond to information security risks. Among other controls Janrain has implemented as part of this InfoSec System are asset management, access management, change management, software development lifecycle management and vendor security screening. A qualified third-party auditor has certified this InfoSec System as meeting ISO 27001:2013 standards. Privacy by design processes in which our product marketing team works with me (our VP of Privacy) and our Information Security Manager to address privacy and security concerns when determining product feature requirements. A privacy program that includes operational procedures and privacy training and awareness building for employees. Just as important, Janrain already offers GDPR-compliant service features to its clients, including: Checkbox consent mechanisms for explicit consent (GDPR ✔) Progressive permissions (GDPR ✔) Easy data record access mechanisms (GDPR ✔) Data correction/integrity mechanisms (GDPR ✔) Data portability (GDPR ✔) Data erasure/deletion (GDPR ✔) Scoped access for users and integrations (GDPR ✔) Data pseudonymization (GDPR ✔) Age gating ((GDPR ✔) We look forward to collaborating with our enterprise clients on developing more GDPR compliance-enabling service features and best practices. While further work remains to be done prior to May 2018, Janrain is well positioned to meet, and to help its clients meet, the GDPR challenge. To learn more about how Janrain approaches data security and privacy, please visit our Trust page.