By Natalie Bluhm Posted December 9, 2017
Organizations that collect and process personal data from EU citizens are faced with an advancing deadline to get their procedures in line with the General Data Protection Regulation (GDPR). The GDPR is the biggest change to European Union (EU) data protection law since the 1995 EU Data Protection Directive. The GDPR expands the scope of companies that need to comply, strengthens data subject rights, and raises the bar for security and privacy. One of the new rights EU citizens have with their personal data is the right to erasure and data portability.
If you need to familiarize yourself with the GDPR, consider exploring this site. If you are not familiar with some of the GDPR terminology, you might find this page of the GDPR regulation helpful. Otherwise, continue reading to find out what the right to erasure and data portability means, and the steps JumpCloud is taking to to meet this component of the GDPR.
The Right to Erasure
First, let’s break down the right to erasure. Also referred to as the right to be forgotten, the right to erasure grants data subjects (EU citizens) the right to have their personal data deleted under certain circumstances (GDPR Art. 17). However, a data subject’s request for erasure needs to meet one of these conditions (ICO):
- The personal data is no longer needed for the purpose it was originally collected.
- The individual withdraws consent.
- The controllers/processors breached the GDPR and did not obtain proper consent.
- Legal obligations require that the personal data is erased.
When a request for erasure is made and the organization has shared this data with third-party processors, the organization needs to do everything it can to inform the third party processor of the erasure.
The GDPR also presents conditions where organizations have the right to refuse erasure. These are as follows (ICO):
- The processing of data is part of their right to freedom of expression and information.
- The processing of data serves to further scientific, historical, or statistical research.
- The personal data is part of the exercise or defence of legal claims.
The underlying reason for this new component to the GDPR is to grant data subjects the right to have their personal data erased if there is no longer a valid reason for it to be processed. Next, let’s take a look at what the right to data portability means.
The Right to Data Portability
The right to data portability grants EU citizens the right to obtain and reuse their personal data with other services (GDPR Art. 20). Organizations must comply with this right by providing an individual’s personal data in a commonly used electronic format. This format needs to be machine readable and allow the ability for software to extract the information. Individuals can also request that organizations share the personal data directly with another service if this is technically possible. Organizations must respond to a request as soon as possible or within a month of the request. If an organization has multiple requests or the request is complex, the organization is allowed to take up to two months to comply.
Now that you have some understanding of what the right to data erasure and data portability are, let’s take a look at how JumpCloud meets these requirements of the GDPR.
JumpCloud and the Right to Erasure and Data Portability
Through JumpCloud’s directory services, IT admins have full control over the personal data that is stored in the identity management platform. This personal data can include information such as phone numbers and addresses. It’s important to understand that this data is completely controlled by the customer. At any time, the customer and the data subject can modify this data, delete it, or share it. Because this data is user generated, JumpCloud has no control over it and is not able to share this data if requested.
JumpCloud does use third-party data processors such as AWS, Google Cloud Platform, and Salesforce. With each of these, JumpCloud has entered into a data processing agreement that doesn’t allow the third-party processor to use personal data we may have collected without our direction. We also don’t sell personal data, license it, or allow third parties to market to those whose personal data we may have collected. If a data subject requests to have their personal data erased, any data that is processed with a third party will also be deleted.
Learn More about JumpCloud and the GDPR
JumpCloud understands data is an organization’s digital kingdom, so we work very hard to treat your data with the utmost respect, privacy, and security. We welcome you to contact us if you have questions about JumpCloud’s GDPR compliance, or how we can help you achieve GDPR compliance. For any requests for information or deletion, please reach out to us by emailing: firstname.lastname@example.org. You are also invited to start testing our identity management solution by signing up for a free account. Your first ten users are free forever.