Ready. Set. Secure. Achieve GDPR Compliance, Improve Customer Experience
The General Data Protection Regulation (GDPR) deadline has come and gone, but there is still ample opportunity to rethink the customer relationship and their buying journey. Rather than considering security and customer experience separately, GDPR presents an opportunity to take a more holistic view of the customer experience.
Is your business GDPR compliant?
iovation solutions can help!
If your authentication tools and processes aren’t in compliance by now, you need a solution that balances strong security and simple implementation with the regulation’s mandate for digital privacy. But don’t forget user experience in the process. Consider ClearKey, our lightweight two-factor authentication solution. ClearKey uses iovation’s patented device-recognition technology to authenticate visitors without adding customer friction. The result is an easy-to-implement solution that brings you closer to GDPR compliance — fast. Learn more in our Five Ways ClearKey Can Help You Become GDPR Compliant blog.
iovation solutions reduce data breach risks, and improve user experience.
With the constant threat of compromised credentials and brute force hacks, organizations need multifactor authentication to secure online accounts, but conventional solutions that store personal data on-prem or using cloud-based servers can prove damaging to a company if breached. LaunchKey, iovation’s multifactor authentication (MFA) solution, provides a decentralized and anonymous architecture that stores authentication credentials locally on the user’s device, and never creates the “central data store” that leads to the breaches we read about in the news. This approach significantly reduces exposure for your organization under the new EU GDPR.
Many businesses around the world are asking what is GDPR? GDPR stands for General Data Protection Regulation and coalesces data privacy legislation from the EU28 into one privacy and data protection regulation. The goal of the GDPR is to give EU citizens control over their personal data and to outline requirements for businesses that collect personal data.
The GDPR doesn't just affect the EU or the EEA, it affects:
- Anyone processing personal data within the EU or EEA.
- Anyone offering goods or services to citizens in the EU/EEA, whether they are within the EU/EEA or not, also will fall under the rules set by GDPR. Additionally, anyone monitoring the behavior of persons within the EU/EEA will also fall in scope.
- In a globalized economy, it's actually foreseeable that many organizations outside of the EU/EEA will find themselves under GDPR’s remit.
It's also important to keep in mind, for those businesses within Europe who use third party service providers based outside of the EU/EEA, you need to consider whether these vendors understand the obligations that they will “inherit” under GDPR on behalf of European businesses? Do the contracts you hold with them reflect this? Do the terms contained within the contract align themselves with their responsibilities? Can they continue to provide this service to you without breaking the law?
At the core of GDPR compliance is the goal to protect the private information of individuals. GDPR compliance requires organizations that gather private personal information to obtain it legally and sets strict conditions for processing. In addition, GDPR compliance requirements include the obligation to protect personal information from misuse and exploitation.
GDPR also requires mandatory breach reporting for organizations that have been hacked or had personal information compromised. Not only is this requirement absolute (and failure to make a notification can bring a fine of up to €10m or 2% of global turnover), but it needs to take place within 72 hours.
Your business will have three days to understand the following after a data breach has occurred:
- That a breach has occurred
- What data has been lost
- Who it has affected
- Whom to notify (regulator and individuals alike)
- And mitigate the breach
Therefore it's important to understand what data assets a business holds, where they're held, what controls are in place to protect them, and what mitigation is available BEFORE such a breach occurs.
Fighting Cyber Criminals Under GDPR
Although data processed for Criminal Law enforcement purposes will be ring-fenced under its own directive across the EU (with the UK still as yet unclear as to their intentions), GDPR provides some call outs for counter fraud activity. Data processing under GDPR requires a “condition of processing”. These range from a legal obligation to do something (e.g. government tax collection) through to the consent of the person involved. While it’s unlikely a fraudster would consent to having their personal details processed, organizations will be able to rely on their own legitimate interests to prevent fraud as a condition of processing (Article 6; Recital 47). In addition, profiling for fraud prevention is specifically called out as a permissible activity (Recital 71).
Data Minimization GDPR Compliance Requirement
One of GDPR’s requirements is the principle of “data minimization”, where an organization only collects that data which is necessary for the intended aim. iovation’s solutions require the barest amount of non-invasive, non-directly identifying personal data to provide effective authentication and fraud prevention solutions. Because, even if a fraudster provided their details, we wouldn’t be inclined to believe them anyway. This means iovation’s solutions are perfectly positioned to help you shut down account takeover attempts and other types of fraud while staying compliant with GDPR.
The GDPR defines Pseudonymization as “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.” With the implementation of GDPR in May 2018, iovation will enable organizations to leverage the benefits of Pseudonymized data. In addition to increased security, a clear benefit is that mandatory breach reporting requirements are significantly lowered for pseudonymised data because the risk of harm befalling a data subject is greatly reduced, as long as the key is not compromised. (Article 33 GDPR - on the basis that securely Pseudonymized data is “unlikely” to create risk).
In addition, Article 11, which relaxes certain data subject rights for Pseudonymized data, will assist businesses in dealing with the anticipated increase in the enforcement of Subject Access Rights. EU Justice Commissioner Vera Jourova recently announced her intention to launch a “massive” awareness campaign around the new rights that GDPR confers. As people become aware of these rights and that they may have a right to compensation for the impediment of those rights, you can be sure that there will be an increase in legal action.
The EU-US Privacy Shield Framework was designed by the US Department of Commerce and European Commission as a replacement for Safe Harbor after it was invalidated by the EU’s highest court in 2015. Privacy Shield enables US businesses to provide assurances that they can process data in line with the high expectations placed on their counterparts in the European Union. This enables businesses to operate in a far more agile manner by avoiding cumbersome contract negotiations and consumer consent isn't absolute when other conditions of processing are considered. This enables transatlantic data flows to persist, which are the lifeblood of globalized industry. It also ensures that downstream processing is carried out to the same high standard that is required of the "importer" of EU sourced data into the US.
iovation, the leading provider of device-based consumer authentication and fraud prevention solutions is certified under the U.S. Department of Commerce’s EU-U.S. Privacy Shield Framework, effective October 3, 2017.
Keep Up To Date On GDPR!
Get the latest news and information about GDPR directly in your mailbox!