For over 20 years, the Data Protection Directive was the primary law regulating the data protection of the European Union (EU) citizens. Now, effective as of 25 May 2018, the new General Data Protection Regulation (GDPR) will replace it. The GDPR focuses on the control, security, and privacy of sensitive information pertaining to EU citizens. It is also applicable to companies that are outside of the EU, but which store or process personal information of EU citizens. The underlying purpose of the GDPR is to protect individual privacy and prevent data breaches from occurring, by making personal data more controlled, in terms of its usage and storage.
The GDPR deals with two different "bodies" when it comes to personal information. These are:
- Privacy And Security By Design
Privacy And Security By Design is a section of the GDPR stating that the standard of privacy surrounding personal data must be raised. It orders the controllers to implement the appropriate level of technical and organizational measures to ensure that personal data is used solely for the specifically defined purpose. By limiting the accessibility and the processing storage of this data, it restricts how information is used. Organizations and businesses, by order of the GDPR, must now consider privacy at all times, including during the development of new products or services.
miniOrange deals with Privacy And Security By Design in two different ways. Firstly, the type of information and data we ask for in order to provide our products and services for consumers. Secondly, the way in which we protect this information when stored. miniOrange doesn't use personal information for any other purpose apart from initially provisioning products and services. All private data collected by miniOrange is heavily secured and can only be accessed by the appropriate individual.
- Data Breach Notification
Data Breach Notification is a section of the GDPR stating that if a data breach involving personal information occurs, the controllers must notify all of the related parties, as well as the supervisory authorities. This notification must be done no later than 72 hours after the data breach has been identified.
The elements of the actual notification to be sent in such a scenario are detailed as follows:
- The nature of the data breach must be included. This is comprised of an estimate of the number of data subjects affected, along with their categories, as well as an approximation of the number of individual data records breached, along with their categories.
- The Data Protection Officer (DPO) must have their contact information within the notification, or, at the very least, a contact point from which more information can be gathered.
- A sufficient description of the consequences of the data breach.
- A description of the actions taken by the controller to address the data breach.
miniOrange takes pride in its methods of security concerning personal data: access to our technical infrastructure (In which personal information is contained) is limited only to personnel with a documented and approved business need; all of our data at rest is encrypted; login requests and privileged commands are tracked using the appropriate software; our authentication process is secured with the implementation of methods such as MFA and password complexity.
However, if miniOrange has the least reason to suspect a data breach, the technical and organizational personnel follow a specified response plan and policy. Data recovery aside, the Data Breach Notification is something miniOrange is ready to fulfill to the level described above, as soon as the moment arises.
This notification includes :
- data subject name and details.
- The date and time of the breach
- The date and time we detected it.
- Information about the type of breach
- Information about the personal data affected.
- Data Minimization
Data Minimization is a section of the GDPR stating, very succinctly, that controllers and processors must use the minimum amount of data needed to successfully perform their desired task. To comply with this, it is important to consider the range of personal information that needs to be collected and the span for storing the data, as well as the processes, software, and systems involved with it.
miniOrange only collects and processes personal data that we need to provide services and products. This personal information includes names, email addresses, and other company information. If customers desire their end-users to input this data individually, the customer themselves becomes the controller over that information, and miniOrange becomes the sub-processor. Customers have a large amount of control over this personal information. They can add, delete or modify existing data as they see fit. miniOrange does not utilize this user-generated content in any way other than to display it at the customers' end, for authentication and verification.
- Privacy Impact Assessment
Privacy Impact Assessment is a section of the GDPR stating that an "Impact Assessment" must be conducted at least every 3 years by organizations dealing with personal information that may be detrimental to the privacy of individuals. This includes sensitive information relating to criminal convictions and offenses, or publicly accessible platforms used on a large scale. To identify privacy risks within such platforms, Privacy Impact Assessments are conducted describing how personal information is protected, shared and maintained. The freedom and rights of individuals are considered in this section of the GDPR, by making breaches or ways of exposing the personal information of EU citizens more difficult.
However, this component of the GDPR is quite focused, and is clearly not applicable to every company or organization, as not all will be collecting information on a scale that will affect the concerned individuals' basic rights and freedom.
miniOrange handles a very limited amount of personal information, and primarily deals with only company information. We do not meet the requirements of the Privacy Impact Assessment, and are exempted from implementing it.
- Right To Erasure & The Right To Portability
Right To Erasure is a section of the GDPR stating that individuals must have the ability to have their data "forgotten", or completely erased from all company databases. However, this is applicable when a set of circumstances hold true--essentially, individuals may invoke this right if the data processing in place fails to satisfy the requirements of the GDPR.
Eligible erasure requests must fulfill the criteria that are listed below:
- The personal data received by the company is not necessary for the purpose it was collected.
- The personal data has been wrongly or inappropriately processed.
- Legal obligations require that the personal data is erased.
Right To Portability is a section of the GDPR stating that EU citizens must have the option to obtain their personal data from a controller for its "re-use" with various other services or products. If technically possible, the individuals could request to make the transfer of personal data directly from one service to the other.
Through the miniOrange directory services, IT Administrators of customer companies have complete control over the personal data of their end-users, which is securely stored in the identity management platform. They can access the data and then choose to delete or share it. The end-users themselves also have control over their personal information and can utilize it to access other services, as well. These features of our platform allow for our compliance with this section of the GDPR.
- Data Protection Officer
Data Protection Officer is a section of the GDPR stating that if data processing in a company is of a certain type, then a "Data Protection Officer" will be put in place, in order to ensure that the collection and processing of the personal information is in accordance with the GDPR.
A Data Protection Officer is required to be implemented under if the following circumstances hold true. They are:
- The processing of personal data is done by a public authority (Courts and independent judicial authorities are exempted from this).
- The personal data being processed requires regular and systematic monitoring on large scale.
- The data subjects (i.e. The EU citizens) are required to be regularly monitored on a large scale for the data processing.
- The personal data being processed is related to or regards crimes and convictions on a large scale.
miniOrange does not meet any of the circumstances where a Data Protection Officer would be required. We need only a handful of personal data from our customers, such as names, email addresses, organization names and phone numbers. Since we are not a public authority, nor are we partaking in the collection or processing of high amounts of data belonging in the specific categories designated by the GDPR, a Data Protection Officer would be unneeded.