By Natalie Bluhm Posted November 30, 2017
European Union (EU) data protection laws will experience significant change when May 2018 rolls around, and the General Data Protection Regulation (GDPR) will take the place of the 1995 EU Data Protection Directive. Despite the two year grace period, “52% of companies believe they will be fined for non-compliance,” and it is predicted that “the EU could collect as much as $6 billion in fines and penalties in the first year” (CSO). There are still six months left to get your house in order, so we’ve created a series of posts on the GDPR that takes an in-depth look at specific components within the GDPR. This post will offer a closer examination into what the GDPR has termed “privacy and security by design” (GDPR Art. 25). If you would like to familiarize yourself with the GDPR, consider exploring this site. If you are not familiar with some of the GDPR terminology, you might find this page of the GDPR regulation to be helpful.
Now, let’s take a look at what privacy and security by design means and the steps you can take to meet this. Then we’ll discuss how JumpCloud intersects with this component of the GDPR.
Privacy and Security by Design Explained
What is privacy by design? Privacy and security by design is building privacy into the systems, processes, and software used in processing personal data. While this concept has been around for quite a while in the tech industry and legal sector, it hasn’t always been implemented elsewhere. Under the old 1995 Directive, privacy and security were required, but data controllers had the option of treating privacy and security as an afterthought. The GDPR changes this and forces controllers and processors to instill privacy and security at the inception of a data collection project and imbue these elements into every tool and process used to collect personal data (Deloitte). This might seem daunting at first, but in the long run privacy and security by design can actually increase the efficiency of your development process. This is because it really forces a development team to carefully think about what kind of data they want to collect, the purpose in collecting this data, and how to collect it legitimately.
Privacy and Security by Design in Action
So what does an organization have to consider when implementing privacy and security by design? Steps that you might take when implementing privacy by design include the following (Privacy Trust):
- Limiting the use of personal data to the minimum amount needed to complete a project
- Minimizing the processing, storage, and accessibility of data
- Making sure data is portable
- Carrying out a Privacy Impact Assessment to identify privacy risks within your design
- Having a plan for what will be done with the data when the product or service retires
Whether your organization is familiar with privacy and security by design or the GDPR has just brought this concept to your attention, it is important to evaluate your company’s approach to meeting this mandatory component to the GDPR.
Now let’s take a look at how we’re doing this at JumpCloud.
JumpCloud’s Approach to Privacy and Security by Design
Privacy and security have always been central to JumpCloud, and by May 2018, JumpCloud will be fully GDPR compliant. JumpCloud implements privacy and security by design in a few critical ways. There are two aspects to this: one is related to what information and data we ask for in order to deliver and service our platform, and the second is related to how we secure our solution from the inside out.
With respect to the data that JumpCloud needs in order to deliver our services and to support our customers, we do ask for various pieces of personal data. This includes the email address, organization, and phone number for a data subject. Further, we do leverage cookies on our website and application in order to deliver our solution. JumpCloud endeavors to request the minimum data required to service and support our platform for an organization.
In addition, JumpCloud does not share this data with third parties for marketing purposes. Any personal data that is shared with third party data processors (such as AWS, Google Cloud Platform, Salesforce, and others) is done under our direction and is subject to a data processing agreement. A data subject may request at any time to be forgotten by JumpCloud and/or what personal data JumpCloud has and how it is being utilized (including where).
Customers have the option to store personal data in our directory service. JumpCloud does not use this personal data other than to deliver the service (i.e. it is displayed in the UI or leveraged as directed by the customer) or control it at any time, but merely hosts this data in our platform. Should customers choose to enter personal data such as gender, address, or other personal information, that data is encrypted, and customers have total control over this data.
The other aspect of privacy and security by design is the security side. JumpCloud takes security very seriously and has a number of different layers. JumpCloud security strategy starts with securing all data in flight and at rest through encryption. Further, any passwords that JumpCloud manages are one-way hashed and salted.
Second, we actively participate in ongoing security processes, including vulnerability scanning, penetration testing, training, and patching. Visit this page for more information on our robust security practices.
Third, access to data is only granted to key personnel with a verified and documented business need. This access is monitored.
Finally, JumpCloud engages in regular third party security audits.
Contact Us with Questions About GDPR
For more information on the GDPR and privacy and security by design, please reach out to us directly with your questions. We’ll gladly get back to you with answers. You’re also invited to test our modern identity management platform by signing up for a free account. All of our features are available and your first ten users are free forever.