Organizations that collect and process personal data from EU citizens are faced with an advancing deadline to get their procedures in line with the General Data Protection Regulation (GDPR). The GDPR is the biggest change to European Union (EU) data protection law since the 1995 EU Data Protection Directive.
The GDPR expands the scope of companies that need to comply, strengthens data subject rights, and raises the bar for security and privacy. Some of the new rights EU citizens have with respect to their personal data is the right to erasure and data portability. GDPR has a global scope and applies to any organization that processes personal data, regardless of its size.
You may find this page of the GDPR regulation helpful if you are not familiar with some of the GDPR terminology. Otherwise, read on to find out why the law was created, its basic tenets, the basic rights of EU citizens under GDPR, steps to compliance with GDPR, and what JumpCloud is doing to meet these requirements and fulfill all of its obligations under the law.
What Is GDPR?
GDPR is a landmark data protection law that was introduced by the EU in May 2018 to regulate the collection, use, storage, and sharing of personal data. Significantly, it places no limits on where the data processing occurs. Its main objective is to increase transparency and introduce accountability for organizations that are custodians of data.
GDPR applies to all organizations that process personal data of EU citizens, including businesses of all sizes, nonprofits, and government agencies. Organizations that fail to comply with the GDPR can face fines and reputational damage. Enforcement is broad: Amazon was assessed a €746 million fine in 2021 while small businesses that are found to be in violation of the law often pay anywhere from few hundred to several thousand euros.
Main Goals of GDPR
The main goal of GDPR is to protect and strengthen individuals’ right to privacy and ensure that organizations process personal data in an accountable, secure, and transparent manner.
EU citizens (and many people beyond its borders) now have more control over their personal data, including the right to access, correct, and delete what has been collected about them. Small and medium-sized enterprises (SMEs) must provide clear privacy notices and obtain consent from customers before they gather any personal information about them.
Strong enforcement is built into the law, which introduced substantially higher penalties for noncompliance. EU supervisory authorities were granted significant new powers to enforce data protection laws, including a broad authority to impose fines.
The EU also used the law to smooth regulations among its member states into a strong, unified framework. The law does provide for the free flow of data between EU members and third countries, but data transfers are subject to conditions. As a result, SMEs must identify and manage multi-jurisdictional retention requirements when they store data among cloud service providers.
Organizations of all sizes must be prepared to invest in GDPR. Keeping records and data within compliance, creating organizational policies and controls, conducting training, and developing human resources are foundational activities. An identity management platform is an important system to achieve compliance by controlling employees’ personal data.
Which Organizations Does GDPR Apply To?
GRPD applies to organizations of all sizes and all types that are:
Based in the EU: Any organization that’s based in the EU that processes the personal data of EU citizens is subject to the law. There’s no getting around it: the rules apply whether the processing takes place within or outside the EU.
Based outside the EU: Any organization that processes the personal data of EU citizens is subject to the law, regardless of where it’s based. That association is not solely defined by a direct customer relationship: any party that’s part of monitoring consumer behavior is involved.
Data controllers and processors: An organization that collects data and uses it for a marketing promotion such as an animal shelter holding names and addresses in a database for a fundraiser is considered to be the data controller. It may hire a printing company to send out invitations, which makes the printer a data processor. Any data processor that handles personal data on behalf of a controller is subject to GDPR, regardless of its location.
Every organization that’s subject to GDPR must comply with its requirements, including obtaining consent for data processing, implementing appropriate technical and organizational measures to protect personal data, and providing individuals control over their data. The next section outlines the rights of EU citizens in greater detail and what information is involved.
Information Protected Under GDPR
So, what type of information would an organization that controls or processes data have to look out for?
- Basic identity information: This personal information includes records such as an individual’s name, address, email, telephone number, and other contact details.
- Web data: Online identifiers are considered to be personal information such as IP addresses, cookies, location information, and RFID tags.
- Health and genetic data: This includes information about an individual’s physical or mental health, such as medical records and information about disabilities.
- Personal preferences and characteristics: Personal characteristics and preferences such as religion, race, ethnicity, political beliefs, and sexual orientation are protected.
- Anything that relates to an identifiable living person: This includes state-issued identities such as passport numbers, national identification numbers, and social security numbers. Financial information such as bank account numbers and credit card numbers, demographics data such as their job title, salary, and employment history are all considered as personal information under GDPR and should be protected. Biometric data is also classified as this type of personally identifiable information under GDPR.
Basic Rights Under GDPR
Individuals residing within EU territories have the right to access, erase, or rectify their personal data. They may also restrict processing and have the right to data portability. Organizations that process personal data must comply with GDPR requirements in order to uphold these rights.
Right to Access
Individuals have the right to request access to all of their personal data that is being processed by an organization, as well as other information related to that processing.
Right to Be Informed
You may have noticed that many websites prompt you to select what data will be shared. That’s because EU citizens have the right to be informed about how their personal data is being processed, including why it is being processed, who it is being shared with, and how long it will be retained. GDPR frequently has a halo effect for people who reside outside of the EU.
Right to Data Portability
The right to data portability grants EU citizens the right to obtain and reuse their personal data with other services (GDPR Art. 20). Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format that can be transferred to another controller. Individuals can also request that organizations share the personal data directly with another service if this is technically feasible. Organizations must respond to a request as soon as possible and up to one month from the request. The organization is permitted to take up to two months to comply if it receives a large volume of requests or the request is complex.
Right to Be Forgotten (Right to Erasure)
The right to erasure, also referred to as the right to be forgotten, grants data subjects (EU citizens) the right to have their personal data deleted under certain circumstances (GDPR Art. 17). However, a data subject’s request for erasure needs to meet one of these conditions (ICO):
- The personal data is no longer needed for the purpose it was originally collected
- The individual withdraws consent
- The controllers/processors breached the GDPR and did not obtain proper consent
- Legal obligations require that the personal data is erased
The organization needs to do everything it can to inform the third-party processor of the erasure when a request is made and the organization has shared this data with third-party processors.
However, there’s some flexibility under the law. The GDPR also presents conditions where organizations have the right to refuse erasure. Those are as follows (ICO):
- The processing of data is part of their right to freedom of expression and information
- The processing of data serves to further scientific, historical, or statistical research
- The personal data is part of the exercise or defense of legal claims
The underlying reason for this new component to the GDPR is to grant data subjects the right to have their personal data erased if there is no longer a valid reason for it to be processed. Next, let’s take a look at what the right to data portability means.
Right to Object
Individuals have the right to object to the processing of their personal data in certain situations, such as when the processing is going to be used for direct marketing purposes.
Right to Restrict Processing
Processing of personal data can be restricted under certain circumstances, such as when an individual contests the accuracy of the information within it or when the processing is unlawful.
Right to Rectification
EU citizens may request that their personal data be corrected if it’s inaccurate or incomplete.
Steps to Compliance with GDPR
Your organization’s journey to GDPR compliance begins with planning and preparation, followed by enacting the appropriate organizational and technical controls to execute your strategy.
Create an Action Plan
Use the seven principles of GDPR to make a plan.
Lawfulness, fairness, and transparency: These principles govern how organizations should collect and process personal data within the EU. The general rule of thumb is to be open and honest about your data processing activities. Personal data must be processed in a lawful manner after you’ve obtained explicit consent from individuals. Consent provides a legitimate basis for data processing. As always, fulfill your contractual obligations and comply with all known legal requirements that could impact your role as a data controller or processor.
Be transparent and provide people with clear information about how their data will be used, the purpose of the data processing, its legal basis, the types of data that will be collected, and if it’s going to be shared. Individuals must also be aware of their rights with respect to their data.
Purpose limitation: This is exactly what it sounds like. Organizations must have a clear and specific purpose for collecting and processing personal data, and they cannot use that data for other purposes without obtaining additional consent from the individual or otherwise having a legal basis for doing so. This helps to protect EU citizens’ right to privacy by ensuring that their information is only used in ways that they consent to and that nothing unexpected occurs.
Data minimization: Data minimization is the idea that controllers and processors use the minimum amount of data needed to successfully complete their task (GDPR Art. 5). When thinking about how to comply with data minimization, it is important to consider the duration for storing data, and the processes, software, and systems used in your organization. For example, if controllers only need addresses from data subjects for a project that lasts three months, that data should be erased once that project is completed in three months.
Data minimization is also important to take into account for auditing and logging aspects of a business. It’s important to take note of what kind of information you’re collecting, what information is actually necessary, why it’s necessary, and to discard any irrelevant data (PKWARE). For some controllers and processors, it might have been common practice to hold on to irrelevant data in case it may be needed in the future; however, this practice should be abandoned because it is the opposite of data minimization and doesn’t comply with the GDPR. Whether it’s your data collection team or your security team, it’s crucial to examine your processes and systems that are involved with collecting or interacting with personal data.
Accuracy: Personal data must be accurate and maintained. It’s your responsibility to ensure that it’s complete, correct, and current. Your customers can ask that it be corrected and that request has the weight of the law behind it.
Storage limitation: GDPR mandates that you don’t keep data longer than necessary and stick to the purpose for which it was collected. Policies and procedures will help meet this requirement such as content retention rules or a plan to anonymize old data.
Integrity and confidentiality (security): Personal data must be processed in a manner that ensures its security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or “damage.” The EU suggests using, “appropriate technical or organizational measures.” This article provides a primer on cybersecurity planning and might be helpful.
Accountability: It’s your organization’s responsibility to demonstrate GDPR compliance by having documentation of technical and organizational controls, conducting data protection impact assessments (DPIAs), and maintaining records of and related to data processing activities. You must prove that you’re honoring the aforementioned concepts of transparency, purpose limitation, and data minimization. A Data Protection Officer (DPO) should be appointed as point person to cooperate with supervisory authorities and report any known data breaches. It’s important to note that failure to meet these expectations will result in fines.
Generate a Processing Register
Accountability isn’t just a suggestion under GDPR; the consequences of noncompliance are real. It’s vital to keep a record of processing activities to avoid being fined and experiencing reputational harm. These steps will help you create a processing register for that purpose:
Identify processing activities: Identify anything that involves personal data, including data collection, storage, use, and sharing activities. Capture the purpose, data subjects, types of data, and legal basis for processing every time you process data.
Record details: Every detail matters. Capture the identity and contact information of the data controller and data processor every time these activities happen. You’re responsible for recording the purpose of processing, the types of personal data processed, the legal basis for processing, as well as the categories of personal data for all data subjects.
Map data flows: Identify the sources and recipients of personal data, as well as any third-party service providers (sub-processors) involved in data processing. The animal shelter,
mentioned above, would have to record that it worked with the local print shop for its fundraiser.
Review and update: Your processing register must be reviewed and updated regularly to ensure that it remains accurate and up to date.
Make the register available: Data subjects can request to review your register and your organization must provide it to supervisory authorities within the EU upon request.
Operationalize DPIA and PbD
Data protection impact assessment (DPIA) and privacy by design (PbD) are important components of GDPR compliance. Follow these steps to operationalize DPIA and PbD:
Identify high-risk processing activities: Flag any activities that could pose a high risk to the rights and freedoms of data subjects. These include processing sensitive personal data, any high volume data imports, and any ongoing monitoring of individuals.
Conduct DPIAs: DPIAs assess the likelihood and severity of risks to data subjects and can be used to identify measures/controls that could help to mitigate or eliminate those risks.
Implement PbD principles: The data processing life cycle should incorporate PbD principles, (data minimization, purpose limitation, and privacy by default and by design) at every stage.
Integrate DPIA and PbD into processes: DPIA and PbD should be a part of all relevant processes, such as product development, system design, and procurement, at every stage.
Assign responsibility: Assign responsibility for DPIA and PbD to a specific individual or team member, such as a data protection officer or compliance officer.
Monitor and review: Monitor and review the effectiveness of your DPIA and PbD processes and make any necessary adjustments to ensure that you remain in compliance with GDPR.
Data Protection Impact Assessment and Privacy by Design
GDPR presents new requirements regarding privacy and security by design. In the past, organizations had to have privacy and security by design, but the EU 1995 Directive didn’t specify at what point in the data collection process it needed to be fulfilled. It allowed organizations to treat privacy as an afterthought. The GDPR changes this and mandates controllers and processors to plan for security and privacy at the very beginning of a data collection project.
Organizations need to include systems, procedures, software, and processes when examining the security and privacy of a data collection project. Read this post to learn more about how to prepare to be GDPR compliant in regards to privacy and security by design and how JumpCloud secures personal data.
Privacy impact assessments (PIA) are a major component of GDPR, and are mandatory under certain circumstances that an SME may not encounter. For example, if a data collection project involved large amounts of personal data related to criminal convictions and offenses, the controller and processor involved would have to carry out a PIA. Consider reading this post if you would like to learn more about the special circumstances that require a PIA, and JumpCloud’s role in meeting this component of the GDPR.
Build a Framework for Consent Management
Consent management has been an ongoing theme in this document. Here are some steps you can follow to create a framework that operationalizes it:
- Identify the types of personal data you collect and process and why you’re doing it.
- Determine the legal basis for processing the data, such as obtaining consent from an individual, fulfilling a contractual obligation, or pursuing a legitimate business interest.
- Determine the scope of consent required by including the types of data that will be collected, its purposes, and the duration of the consent.
- Obtain explicit consent from individuals for the processing of their personal data. Remember to always provide a clear and concise statement of purpose.
- Provide individuals with information about their right to withdraw consent and make it easy to do at any time.
- Implement processes for managing consent, including collecting and storing consent records.
- Regularly review and update consent records as necessary to ensure that they remain accurate and up to date. You may have noticed this when an email lists checks in to ask whether you still want to subscribe to it.
Meet EU Privacy Cookie Compliance Requirements
Web tracking is a major reason why GDPR exists, and cookies are a common method to identify and track individuals online. Consider adding a module to your websites that manages cookies. Otherwise, follow these manual steps to avoid running afoul of GDPR:
Audit your website: Conduct a thorough audit of your website to identify cookies.
Clear communication: You must disclose whether cookies are being used, their purpose, and how long they will be stored on a device.
Make it easy to withdraw consent: This can be done through a settings page that allows users to manage cookies. Many web sites refer to this as “cookies preferences.”
Use opt-out tools: Chances are you’ve encountered this when you’ve visited websites over the past few years. Implement cookie opt-out tools that permit users to reject nonessential cookies, such as those used for advertising and marketing analytics.
Keep records of consent: Capture the date and time of consent, and the user’s location.
Build a Data Subject Rights (DSAR) Request Portal
Think back to how individuals can request to review the data that’s been captured about them. DSAR is the term that’s used to describe those requests as a formal process. Here’s how your organization can be prepared to field those request as they come in:
Categorize data: Know what personal data will be collected/processed and the reason why that’s going to happen.
Determine DSAR request types: These may involve personal data, rectification, or requests to restrict or object to the processing of personal data.
Create a user portal: You must provide a place where people can submit DSAR requests and provide clear instructions on how to use it.
Use secure authentication: Verify the identity of individuals making DSAR requests through authentication flows with factors including username and password, basic multi-factor authentication (MFA), or modern authentication using a secure token.
Have a process to respond to DSAR requests: Have a clear process to act upon any DSAR requests, including assigning a responsible person, and setting a timeline for a response.
Keep records of DSAR requests: Timestamp incoming requests, categorize the type of request, the personal data that is being processed, and record your response to it.
Review and Remediate Processor Risks
Imagine you’re working at the animal shelter and want to hire that local print shop. GDPR might be confusing (or even scary) when you consider the potential consequences for noncompliance, even for something so mundane. Follow these steps to identity and mitigate your risks:
Identify your processors: Keep records of your vendors, including cloud service providers, IT service providers, and all third-party service providers who process personal data on your behalf. The animal shelter would be required to keep records about working with a printer.
Assess the risks: Consider the nature of the data being processed, the purposes of the processing, and the security measures that are in place before you select a data processor.
Conduct due diligence: Review the processor’s privacy and security policies, conduct a risk assessment, and evaluate their capacity to comply with GDPR requirements.
Review and update contracts: Contracts must comply with GDPR requirements, including requirements related to confidentiality, data protection, and cybersecurity.
Implement controls: Takes steps to protect personal data when working with processors, such as encryption, and pseudonymization/anonymization to cleanse data of any identifiers.
Monitor compliance: Routinely audit your processor, reviewing security measures, and how it has responded to any incidents or breaches that led to data exfiltration.
Make a remediation plan: Your remediation plan should address gaps identified in the review process. Use it as the basis to take appropriate action to remediate any identified risks.
Prepare an Incident Reporting & Breach Management Workflow
A new component to the GDPR is notifying appropriate individuals and supervisory authorities of a breach within 72 hours of it being discovered. Organizations must always inform a supervisory authority, but there are some circumstances where they do not have to notify the affected individuals. If controllers and processors fail to properly notify authorities and affected individuals, they could face a fine of up to €10 million or 2% of their global turnover. Learn more about the 72 hour breach notification and JumpCloud’s approach by reading this post.
Review Cross Border Data Transfer Mechanisms
The internet has made the world a small place. Chances are you’re not aware of where some of your apps are running from or storing their data. Organizations that interact with EU citizens have to know what’s happening with their own apps and services. Therefore, reviewing where personal data flows, and is being stored, is an important aspect of GDPR compliance. Follow these steps to review whether any of your systems include cross-border data transfers:
Identify data transfers: It’s your responsibility to identify transfers that take place in your organization, including transfers to third-party service providers, or even other entities within your organization. GDPR is most concerned with transfers to locations outside the EU and the European Economic Area (EEA), which could easily be a cloud provider.
Determine the legal basis for transfer: Determine whether the transfer is necessary for the performance of a contract or is based on an adequacy decision, which is when the EU determines that another state’s privacy laws are equivalent to GDPR’s consumer protections. This can become a complex subject. For instance, there are sometimes exceptions to the law (derogations) when safeguards aren’t in place if a user explicitly consents to the risks involved.
Evaluate adequacy decisions: Evaluate whether an adequacy decision has been made by the European Commission for any country that’s outside of its territory. The EU regularly publishes this information.
Implement appropriate safeguards: Always implement appropriate safeguards to protect personal data, such as standard contractual clauses or binding corporate rules. This step is especially important when an adequacy decision can’t be identified.
Review third-party agreements: Third-party service providers must also comply with GDPR requirements for cross-border data transfers.
Document data transfers: Document each cross-border data transfer, including the legal basis for it, the safeguards that are in place to protect data, and any of the service agreements involved.
Review and update policies: Policies related to data protection, impact assessments, risk assessments, and other security measures should be revisited regularly. This isn’t just paperwork: regularly monitor compliance with GDPR policies and procedures.
Implement GDPR Compliance Training
GDPR is comprehensive and the law has “teeth” if you fail to comply with it. This blog alone should make you aware that compliance training is a good idea. It’s also expected from you and doing it demonstrates commitment to be in compliance with EU privacy rules.
Identify stakeholders: All stakeholders will require GDPR compliance training. This includes employees, contractors, and third-party service providers.
Training: Develop training materials that are specific to your organization’s GDPR compliance needs, including policies, organizational procedures, and any best practices.
Educate stakeholders: Consider online courses, in-person training sessions, or a combination of both. Schedule training sessions at convenient times and locations. Remember: their attendance is mandatory.
Find your champion: GDPR compliance training should be “owned” by a specific individual or team within your organization, such as a data protection officer or compliance officer.
Monitor progress: You should record all progress for GDPR compliance training, capture when courses are completed, and provide additional training or support when it’s necessary. You may be required to demonstrate the effectiveness of your training by quizzing your stakeholders. A learning management system might be a helpful tool to accomplish this.
Appoint a Data Protection Officer (DPO)
The GDPR specifies under certain circumstances where a company must have a data protection officer (DPO). The data protection officer will work with companies to ensure their data collection processes align with the GDPR. Companies can assign someone who’s already working within their organization to be their DPO or it can be someone from an external service provider. If a DPO is chosen from within the organization, special care needs to be taken to ensure that the individual is not assigned any additional tasks that could create a conflict of interest. Read this post if you’re interested in finding out more about who can be a DPO, how organizations will work with DPOs, and what a DPO will do.
JumpCloud and Compliance with GDPR
Data security and trust are integral to JumpCloud’s open directory platform. This webpage provides a broad overview of JumpCloud’s compliance with the EU General Data Protection Regulation and is informational in nature. The content of this webpage is not a legally binding document and should not be considered a substitute for legal advice. JumpCloud’s Data Processing Addendum (DPA) is incorporated into the Directory-as-a-Service Agreement (DAASA) that JumpCloud enters with its customers. A copy of JumpCloud’s DPA is available here for your review. You may also review JumpCloud’s compliance with GDPR.
JumpCloud and the Right to Erasure and Data Portability
We also don’t sell personal data, license it, or allow third parties to market to those whose personal data we may have collected. If a data subject requests to have their personal data erased, any data that is processed with a third party will also be deleted.
The final component to the GDPR is an EU citizen’s right to data erasure and data portability. The right to erasure gives EU citizens the right to have their data deleted upon request. Under certain circumstances, organizations must comply with the request, but there are also conditions where an organization can refuse erasure. The right to data portability provides data subjects (EU citizens) with the right to obtain a copy of their data from organizations, and the right to share their data with other services. For more details on how to prepare to be GDPR compliant in regards to the right to erasure and data portability, read this post.
GDPR Solutions with JumpCloud
JumpCloud helps admins obtain full control over the personal data that is stored in the identity management platform. This personal data can include information such as phone numbers and addresses. It’s important to understand that this data is completely controlled by the customer. JumpCloud helps companies achieve requirements for a variety of compliance standards.
At any time, the customer and the data subject can modify this data, delete it, or share it. Because this data is user generated, JumpCloud has no control over it and is not able to share this data if requested.
Learn More About JumpCloud and GDPR
JumpCloud understands data is an organization’s digital kingdom, so we work very hard to treat your data with the utmost respect, privacy, and security. We welcome you to contact us if you have questions about JumpCloud’s GDPR compliance, or how we can help you achieve GDPR compliance. For any requests for information or deletion, please reach out to us by emailing: [email protected]. You are also invited to start testing our identity management solution by signing up for a free account.
JumpCloud offers a variety of Professional Services to help ease the load your employees face. Learn more or schedule a free 30-minute technical consultation.