By Natalie Bluhm Posted December 15, 2017
On May 25, 2018, the General Data Protection Regulation (GDPR) goes into effect. This will be Europe’s biggest change to data protection law since the 1995 European Union (EU) Data Protection Directive (Directive 95). GDPR is elevating the requirements for data protection, security, and compliance. The GDPR will impact all companies that collect and process personal data from EU citizens, and JumpCloud is taking a number of steps to prepare to be GDPR compliant. We’ve put together a series of posts that looks at the 6 core components of GDPR and how JumpCloud is approaching these aspects of GDPR. If you are interested in a specific area of GDPR, below is a list of the blog posts that cover each component in detail:
- GDPR (General Data Protection Regulation) & JumpCloud (Overview)
- GDPR: Privacy and Security by Design
- GDPR: Breach Notification
- GDPR: Data Minimization
- GDPR: Data Protection Officer
- GDPR: Mandatory Privacy Impact Assessments
- GDPR: Right to Erasure and Data Portability
Read the rest of this post for a quick snapshot of what this GDPR series covers.
GDPR (General Data Protection Regulation) & JumpCloud
EU Data protection laws have been in need of an update considering the transformation technology has undergone over the last two decades. This was one of the incentives behind the GDPR. The GDPR addresses changes in technology by expanding the scope of who has to comply with EU data protection law, strengthening EU citizen rights, and raising the bar when it comes to personal data privacy and security. Read this post if you would like to gain a better understanding of how the GDPR is making general changes to data protection law, and how JumpCloud is prepared to be GDPR compliant by the May 2018 deadline.
GDPR: Privacy and Security by Design
While not necessarily a new concept, the GDPR presents new requirements regarding privacy and security by design. In the past, organizations had to have privacy and security by design, but the EU 1995 Directive didn’t specify at what point in the data collection process it needed to be fulfilled. It allowed organizations to treat privacy as an afterthought. The GDPR changes this and mandates controllers and processors to plan for security and privacy at the very beginning of a data collection project. Organizations need to include systems, procedures, software, and processes when examining the security and privacy of a data collection project. Read this post to learn more about how to prepare to be GDPR compliant in regards to privacy and security by design and how JumpCloud secures personal data.
GDPR: Breach Notification
A new component to the GDPR is notifying appropriate individuals and supervisory authorities of a breach within 72 hours of it being discovered. Organizations must always inform a supervisory authority, but there are some circumstances where they do not have to notify the affected individuals. If controllers and processors fail to properly notify authorities and affected individuals, they could face a fine of up to $11.9 million or 2% of their global turnover. Learn more about the 72 hour breach notification and JumpCloud’s approach by reading this post.
GDPR: Data Minimization
Data minimization is the fourth component to the GDPR. Data minimization is another concept that has been around for awhile that the GDPR is bringing some clarification to. This component is requiring controllers and processors to collect and process the minimum amount of data needed to successfully complete a project. When GDPR takes effect, organizations can no longer hold onto data just because there’s a chance it might be useful later. If you would like to learn more about how to prepare to be GDPR compliant in regards to data minimization and JumpCloud’s steps toward meeting this component to the GDPR, go to this blog post.
GDPR: Data Protection Officer
The GDPR specifies under certain circumstances where a company must have a data protection officer (DPO). The data protection officer will work with companies to ensure their data collection processes align with the GDPR. Companies can assign someone who’s already working within their organization to be their DPO or it can be someone from an external service provider. If a DPO is chosen from within the organization, special care needs to be taken to ensure that the individual is not assigned any additional tasks that could create a conflict of interest. Read this post if you’re interested in finding out more about who can be a DPO, how organizations will work with DPO’s, and what a DPO will do.
GDPR: Mandatory Privacy Impact Assessments
Mandatory privacy impact assessments (PIA) is the fifth major component to the GDPR. However, a PIA is only mandatory under certain circumstances. For example, if a data collection project involved large amounts of personal data related to criminal convictions and offenses, the controller and processor involved would have to carry out a PIA. Consider reading this post if you would like to learn more about the special circumstances that require a PIA, and JumpCloud’s role in meeting this component of the GDPR.
GDPR: Right to Erasure and Data Portability
The final component to the GDPR is an EU citizen’s right to data erasure and data portability. The right to erasure gives EU citizens the right to have their data deleted upon request. Under certain circumstances, organizations must comply with the request, but there are also conditions where an organization can refuse erasure. The right to data portability provides data subjects (EU citizens) with the right to obtain a copy of their data from organizations, and the right to share their data with other services. For more details on how to prepare to be GDPR compliant in regards to the right to erasure and data portability, read this post.
From data minimization to privacy and security by design, many of these components are foundational in JumpCloud’s security and privacy posture, and we will be GDPR compliant by May 25, 2018.
Learn more about JumpCloud and Compliance
We hope that this post has helped you to understand how you can prepare to be GDPR compliant by showing you the approach that JumpCloud is taking to GDPR compliance. If you are interested in other compliance regulations, consider reading how our cloud-based directory has helped Better Mortgage meet GLBA compliance or Lumeon with HIPAA compliance. You are also more than welcome to reach out to us with any questions you might have about JumpCloud’s GDPR compliance. Curious about Directory-as-a-Service®? Consider signing up for a free account. Your first ten users are free forever.