At Janrain, to help us properly manage over one billion consumer identities on behalf of our clients, we have implemented programs and best practices to protect the privacy and security of the personal data we process on our clients’ behalf. Recently, we have been have been assessing what changes we will need to make to our current practices so we are well positioned to comply with the European General Data Protection Regulation (GDPR) when it takes effect in May 2018. Happily, we have found that we already meet a number of significant GDPR requirements and that our Customer Identity and Access Management (CIAM) technology will enable Janrain clients to meet some of the GDPR requirements for data controllers.
My hope is that the following review of some of the key GDPR requirements and how Janrain meet them may prove helpful to you as you assess your own organization’s GDPR readiness.
Implementation of appropriate technical and organizational measures to protect personal data.
- We, and our underlying hosting services provider, Amazon Webs Services, Inc., have implemented appropriate administrative, physical, and technical safeguards (including data encryption, backup, and recovery processes) for the protection of hosted personal data against unauthorized disclosure and accidental or unlawful destruction, loss, or alteration.
Data Protection Officer for certain processing
- Since 2013, I’ve led our privacy program as General Counsel and VP, Privacy.
- I am a company officer, an attorney, and a certified information privacy professional.
Notification of data breach without undue delay
- Our systems monitoring controls would assist in detecting any breach, we have implemented an Information Security Event Management Policy and procedures and a related Communication Policy to support our prompt notification to customers of any breach.
- These policies and procedures are part of our ISO 27001:2013 – certified Information Security Management Program.
Documentation of processing
- We define the extent of our processing in our customer service agreements, record it in our logs, and map it across our platform.
Privacy by Design
- Although Privacy by Design is required for data controllers, not processors, we take a proactive approach in making sure appropriate levels of data protection are applied at the product development stage and in our data processing.
Third Party Certifications
- The GDPR expressly recognizes certifications as a means of demonstrating compliance. Apart from potential customer demands, it is always a good practice, to have a third party come and kick your company’s tires to make sure your practices are what they should be and to suggest improvement. So, we have undertaken third party audits to certify or assure our compliance with ISO 27001:2013 standards, SOC 2 Type II Trust Principles . Plus, our privacy practices have been reviewed and certified by an independent auditor, TRUSTe.
ENABLING CUSTOMER COMPLIANCE WITH THE GDPR
Data subject consent required for processing
- Our platform registration functionality enables data subjects to voluntarily enter their personal data or share their personal data from their preferred social platforms.
- This functionality also enables our customers to explain the purposes for processing in the registration workflow.
Data subject right of personal data removal
- Our customers can remove a data subject’s personal data record via our Customer Care Portal with the backup record automatically removed 24 hours later.
Data subject right to personal data portability
- Our customers can obtain a copy of a data subject’s personal data record via our Customer Care Portal or an entity API call.
No collection of child personal data without parental consent
- We offer a child version of our registration solution, which includes a workflow that eliminates the collection of personal data.
As you can see, we take a lot of steps to make sure we are always security compliant. You can read more about our security measures and certifications here.