How Accredible Ensures GDPR Compliance

GDPR is a regulation introduced for the protection of customer data for organizations that collect and process data from individuals in the European Union (EU). As Accredible processes data from our customers for the creation of digital credentials, we have taken steps to ensure we are GDPR compliant.

What is GDPR?

GDPR Explained

GDPR was adopted in April 2016 and put into effect from May 2018 to replace the outdated 1995 EU Data Protection Directive. It sets the standard of how data protection and privacy should be maintained, including what is considered personal data, and regulates the process for data that requires exportation out of the EU. GDPR gives data owners more control over their data, how it is used, and what rights can be exercised with companies that hold their data.

What does GDPR stand for?

GDPR means General Data Protection Regulation. GDPR is considered one of the strictest data privacy regulations in the world with severe punishments for organizations that fail to uphold data privacy and security protections.

Why is GDPR necessary?

Data protection and privacy is a continuous worry for online users. In a 2018 RSA Data Privacy and Security Report of 7,500 consumers, 80% stated the loss of personal banking and financial data as a top concern. Followed by 76% that were worried about a loss of security information (account logins) and identity documents (passports, driving licences). Although introduced for EU citizens, data protection is a worldwide concern. 72% of US respondents stated they would choose not to deal with a company that failed to protect their data.

How is Accredible compliant to GDPR?

Accredible is known as the “data processor”, the entity which processes personal data on behalf of, and at the direction of the “data controller”. The “data controller” is the customer, and is in control of determining the purpose and means of processing the personal data. We can help organizations to meet data portability requirements for GDPR and ensure customers can exercise the ‘right to be forgotten’.

Right To Be Forgotten

As the data processor, Accredible has no authority to alter or delete customer data. Individuals that wish for their data to be forgotten must first request deletion from their credential issuer. Once the issuer has processed the deletion, we will process the ‘right to be forgotten’ request within five business days. Data removal requests are submitted to support@accredible.com.

The GDPR Checklist

To support organizations to meet GDPR, GDPR.eu provides a checklist for data handlers. We have provided information and links below to how we meet each of the GDPR requirements.

Lawful Basis and Transparency

As part of our compliance to GDPR, we provide a Data Processing Agreement (DPA). The DPA details the standard contractual terms that provide the mechanism for GDPR-compliant data transfer and how our internal privacy policies meet GDPR. The DPA includes terms for:

What we do to protect your data
What we are allowed to do with your data
Who we share your data with to provide our service

Data Security

Accredible follows strict data security regulations to ensure that we secure and limit access to your data:

Our data is stored at a secure tier 3 SOC 2-certified data center
We employ a role-based access control framework, ensuring data is only accessible to those whose job responsibilities requires access
Annual audits are conducted to ensure compliance with access control policies
Any breaches or inconsistencies are documented, investigated, and remediated
Internal and external (independent) audits are performed annually across our security and data privacy controls, software, infrastructure, and systems
Regular penetration tests are conducted to ensure we maintain compliance across security and privacy standards
An enforced framework and set of policies contribute to maintaining security and privacy standards
We hold contractual agreements with our suppliers to ensure they maintain the same level of data protection

Accountability and Governance

Accredible have appointed a Data Protection Officer to monitor GDPR compliance, assess data protection risks, advise on data protection impact assessments, and cooperate with regulators. They can be reached at privacy@accredible.com.

We work with a small number of organizations to provide service to our customers. These include services to host our databases (Amazon Web Services), provide data backup hosting (Google Cloud), and power our support desk (Hubspot). We maintain contractual relationships with our sub-processors to ensure:

They're not allowed to use or pass your data to other parties
They properly secure your data
‍

The contractual relationship with our suppliers ensures full legal and process protection for data in accordance with EU privacy law.

Privacy Rights

Our role as “data handler” ensures that customers retain full control over their data as the “data controller”. At any time, customers can request for the exportation of their data from their account or request for the full removal of their data. Issuers, acting in the role of “data controller” first need to delete the necessary data and then Accredible, as the “data handler” will fulfil the ‘right to be forgotten’ request within five working days.

Requests for data export or deletion are sent to support@accredible.com.

To ensure GDPR compliant badges and certificates, the credential owner maintains control over the visibility of their digital credentials. On creation, the issuer will set the digital credential as public or private by default. The credential owner has the ability to change their credential to publicly visible or private, depending on their preference, after signing in to their credential view.

In Summary

Accredible maintains compliance to GDPR by ensuring we follow the strict regulations in place as a “data handler”:

Our customers as “data controllers '' maintain full control over their data including the ability to exercise the ‘right to be forgotten’
Our systems, infrastructure, software, and data privacy controls undergo annual audits and regular testing to ensure we continue to meet the regulations for data security and privacy
Our contractual relationships with our suppliers ensures full legal and process protection for data in accordance with EU privacy law
‍

Organizations serving EU customers are assured that Accredible maintains strict regulations to ensure full compliance with GDPR to provide enterprise-levels of data security and privacy.

For more information on Accredible data protection or to get started with digital credentials, get in touch with the sales team.