There has been a lot of talk about an upcoming change to European data protection law, and you might find yourself asking, what is the General Data Protection Regulation? The General Data Protection Regulation (GDPR) is replacing the European Union (EU) Data Protection Directive (Directive 95) that was established in 1995. The world has seen some significant technological changes since 1995, so the mission behind the GDPR is to protect EU citizens from privacy and data breaches. This post will go over some of the general key changes with the GDPR. If you are interested in reading the entire regulation for yourself, you can find it here.
Who has to Comply and What Kind of Data is Protected?
Unlike the previous legislation, which was just a directive, the GDPR is a regulation. That means that all companies that process data in the EU must comply. Complying with the GDPR is required for two types of organizations that handle personal data, and the GDPR has termed these two types as controllers and processors. Controllers are those that determine the reason, the purpose, and conditions for collecting personal data. Processors are those that process data on behalf of a controller. Even if a company’s headquarters or data centers are not in the EU, they need to comply with GDPR if they process any type of personal data from EU citizens. Organizations that don’t comply could be fined up to 4% of global annual turnover or up to $23.6 million dollars, whichever is higher.
So what kind of personal data does GDPR protect? The following list includes the types of personal data that is protected under GDPR (CSO):
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
In addition to expanding the scope of which companies need to comply and what kind of data is protected, the GDPR also clarifies the rights EU citizens have over their personal data.
EU Citizen Rights
Even before their data is collected, the GDPR mandates that the terms and conditions for consent need to be clear, concise, and easy to understand. No longer can they be arduously long or full of legal terms.
Next, the GDPR gives EU citizens (data subjects) the right to know if their personal data is being processed, know where it is being processed and for what purpose. They also have the right to contact data controllers to obtain this information, and data controllers have to provide a copy of that information, free of charge, in electronic format. Furthermore, EU citizens also have the right to have data controllers delete their collected data. Data controllers must comply and they must stop “further dissemination of the data, and potentially have third parties halt processing of the data” (EUGDPR.org).
Privacy, Security, and Data Protection Officers
Besides new data subject rights, the GDPR also introduces some new rules regarding the privacy and security of collected data. One key component to this is compelling companies to make sure that privacy is part of the design in how they process data. For example, controllers only hold and process data that is absolutely necessary for completing their duties, and access to data is limited to those carrying out the processing.
Further, GDPR also mandates that when a breach occurs that could put individuals’ data at risk, a company needs to notify a Data Protection Officer within 72 hours, and the affected individuals. Data Protection Officers are mandatory for controllers and processors that process certain types of data or large amounts of data belonging to EU citizens (EUGDPR.org). DPO’s will work with controllers and processors “to oversee data security strategy and GDPR compliance” (CSO).
Now that you have a general idea of some of the key changes the GDPR will bring in May 2018, let’s take a look at the steps JumpCloud is taking to be GDPR Compliant. JumpCloud will be GDPR compliant by May 2018, and for those customers that need further details or assurances, please contact us.
JumpCloud and GDPR Compliance
JumpCloud takes the privacy and protection of any type of data very seriously, and we are taking a number of steps to be GDPR compliant. For many years, many of the core components for compliance have already been there for JumpCloud. For instance, we don’t share data with third parties. We do leverage third party “processors” such as AWS and Salesforce, but we keep control of all of the data at all times and do not allow third parties to use it. Additionally, AWS and Salesforce have both stipulated in their Data Processing Agreement that they don’t look at their customers’ data. You can read Salesforce’s DPA here and request Amazon’s processing agreement here.
All private data that we may collect is secured, and can only be accessed appropriately. All of our data is encrypted at rest and in flight, and only appropriate personnel can access the data. Even then, any access is fully logged should our personnel ever access the data.
JumpCloud collects a variety of data, some of it can be personal data such as usernames, passwords, phone numbers, and other items. JumpCloud also leverages cookies on its website to help personalize the experience. JumpCloud users can request to understand what data we have collected as well as ask us to delete all data at any time.
Additionally, through our directory, users can store additional personal data that is not controlled by JumpCloud, but only hosted on our platform. However, this data is all user generated content and is between the customer and their users. Any entered data is encrypted and completely controlled by the customer. At no time, does JumpCloud use any of this user generated personal data. Customers have full control over their user generated data and have the ability to delete this data at any time. JumpCloud is happy to support admins with this process if they are unsure of how to do it.
For now, if you are interested in learning more about JumpCloud’s security posture, consider reading JumpCloud’s security practices, or this page for more information on auditing and compliance. Of course, we will be fully GDPR compliant by the May 2018 deadline.
If you would like more information on what is the General Data Protection Regulation and the steps JumpCloud is taking to be GDPR compliant, please reach out to us. You are also invited to start testing our security features like password complexity management, event logging API, and multi-factor authentication by signing up for a free account. Your first ten users are free forever.