Meeting the GDPR challenge It is widely recognized among privacy professionals that the European Union’s General Data Protection Regulation (GDPR) is the most significant privacy legislation in many years, perhaps decades. GDPR awareness is now spreading beyond privacy conferences to the board room because of the regulation’s broad scope, contractual and operational impacts, and the significant risk management challenge it presents to companies needing to establish compliant practices by May 25, 2018, when the GDPR takes effect. For companies engaged in international commerce, including, but not limited to, those operating in the EU, the GDPR likely will set the standard not only for the treatment of personal data from the EU but other personal data processed with it. Why? Because a data controller will find it is easier and less risky to require each processor and its permitted subcontractors to abide by the more stringent GDPR framework for all the data being processed and will implement its processing oversight accordingly. Here at Janrain, we have been making changes to be in compliance with the GDPR and are excited about the opportunity it presents for us to showcase our leadership in securing and properly treating the personal data which our clients entrust to us. We are also looking forward to the opportunity to help our clients meet the GDPR challenge by offering them GDPR compliance-enabling tools and sharing best practices as we move forward. Janrain has implemented “appropriate technical and organizational measures” to protect data subjects’ rights as required under GDPR Article 32. For example, we have already established the following appropriate security measures suggested under Article 32: • The encryption of personal data in transit and at rest (with transport layer security (TLS) and SSL certificates (of at least 2048-bits) and other measures to protect data in transit; keeping each client application instance and associated subject data isolated in its own logically discrete production environment; having unique session tokens, configurable session timeout values and password policies applied to prevent unauthorized access; encrypting data at rest in development, production and backup environments with full disk encryption; and storing passwords after being one-way hashed). • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of its processing systems and services (through a variety of safeguards, including data hosting replicated to several servers, data backup on hot servers and the capability to receive real-time notification of data subject record changes). • The ability to restore the availability of and access to the personal data in a timely manner in the event of a physical or technical incident (with a tested Business Continuity and Disaster Recovery Plan). • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing (accomplished through its internal and external audits). We feel strongly that partnering with Amazon Web Services (AWS) for all our underlying hosting services provides us and our clients with the most secure and reliable data facilities available anywhere. In fact, in its August 2016 Magic Quadrant review of Worldwide Cloud Infrastructure as a Service, Gartner recognized AWS as the service leader. We have also implemented the following systems and programs to help us and our clients (using us as their data processors) meet the GDPR challenge: A cross-company, formal Information Security Management System (“InfoSec System”) of written policies, procedures and practices designed to secure client data and confidential information and to effectively assess, manage, and respond to information security risks. Among other controls Janrain has implemented as part of this InfoSec System are asset management, access management, change management, software development lifecycle management and vendor security screening. A qualified third-party auditor has certified this InfoSec System as meeting ISO 27001:2013 standards. Privacy by design processes in which our product marketing team works with me (our VP of Privacy) and our Information Security Manager to address privacy and security concerns when determining product feature requirements. A privacy program that includes operational procedures and privacy training and awareness building for employees. Just as important, Janrain already offers GDPR-compliant service features to its clients, including: Checkbox consent mechanisms for explicit consent (GDPR ✔) Progressive permissions (GDPR ✔) Easy data record access mechanisms (GDPR ✔) Data correction/integrity mechanisms (GDPR ✔) Data portability (GDPR ✔) Data erasure/deletion (GDPR ✔) Scoped access for users and integrations (GDPR ✔) Data pseudonymization (GDPR ✔) Age gating (GDPR ✔) We look forward to collaborating with our enterprise clients on developing more GDPR compliance-enabling service features and best practices. While further work remains to be done prior to May 2018, Janrain is well positioned to meet, and to help its clients meet, the GDPR challenge. To learn more about how Janrain approaches data security and privacy, please visit our Trust page.