What is GDPR?
GDPR was adopted in April 2016 and put into effect from May 2018 to replace the outdated 1995 EU Data Protection Directive. It sets the standard of how data protection and privacy should be maintained, including what is considered personal data, and regulates the process for data that requires exportation out of the EU. GDPR gives data owners more control over their data, how it is used, and what rights can be exercised with companies that hold their data.
What does GDPR stand for?
GDPR means General Data Protection Regulation. GDPR is considered one of the strictest data privacy regulations in the world with severe punishments for organizations that fail to uphold data privacy and security protections.
Why is GDPR necessary?
Data protection and privacy is a continuous worry for online users. In a 2018 RSA Data Privacy and Security Report of 7,500 consumers, 80% stated the loss of personal banking and financial data as a top concern. Followed by 76% that were worried about a loss of security information (account logins) and identity documents (passports, driving licences). Although introduced for EU citizens, data protection is a worldwide concern. 72% of US respondents stated they would choose not to deal with a company that failed to protect their data.
How is Accredible compliant to GDPR?
Accredible is known as the “data processor”, the entity which processes personal data on behalf of, and at the direction of the “data controller”. The “data controller” is the customer, and is in control of determining the purpose and means of processing the personal data. We can help organizations to meet data portability requirements for GDPR and ensure customers can exercise the ‘right to be forgotten’.
Right To Be Forgotten
As the data processor, Accredible has no authority to alter or delete customer data. Individuals that wish for their data to be forgotten must first request deletion from their credential issuer. Once the issuer has processed the deletion, we will process the ‘right to be forgotten’ request within five business days. Data removal requests are submitted to firstname.lastname@example.org.
The GDPR Checklist
To support organizations to meet GDPR, GDPR.eu provides a checklist for data handlers. We have provided information and links below to how we meet each of the GDPR requirements.
Lawful Basis and Transparency
As part of our compliance to GDPR, we provide a Data Processing Agreement (DPA). The DPA details the standard contractual terms that provide the mechanism for GDPR-compliant data transfer and how our internal privacy policies meet GDPR. The DPA includes terms for:
- What we do to protect your data
- What we are allowed to do with your data
- Who we share your data with to provide our service
Accredible follows strict data security regulations to ensure that we secure and limit access to your data:
- Our data is stored at a secure tier 3 SOC 2-certified data center
- We employ a role-based access control framework, ensuring data is only accessible to those whose job responsibilities requires access
- Annual audits are conducted to ensure compliance with access control policies
- Any breaches or inconsistencies are documented, investigated, and remediated
- Internal and external (independent) audits are performed annually across our security and data privacy controls, software, infrastructure, and systems
- Regular penetration tests are conducted to ensure we maintain compliance across security and privacy standards
- An enforced framework and set of policies contribute to maintaining security and privacy standards
- We hold contractual agreements with our suppliers to ensure they maintain the same level of data protection
Accountability and Governance
Accredible have appointed a Data Protection Officer to monitor GDPR compliance, assess data protection risks, advise on data protection impact assessments, and cooperate with regulators. They can be reached at email@example.com.
We work with a small number of organizations to provide service to our customers. These include services to host our databases (Amazon Web Services), provide data backup hosting (Google Cloud), and power our support desk (Hubspot). We maintain contractual relationships with our sub-processors to ensure:
- They're not allowed to use or pass your data to other parties
- They properly secure your data
The contractual relationship with our suppliers ensures full legal and process protection for data in accordance with EU privacy law.
Our role as “data handler” ensures that customers retain full control over their data as the “data controller”. At any time, customers can request for the exportation of their data from their account or request for the full removal of their data. Issuers, acting in the role of “data controller” first need to delete the necessary data and then Accredible, as the “data handler” will fulfil the ‘right to be forgotten’ request within five working days.
Requests for data export or deletion are sent to firstname.lastname@example.org.
To ensure GDPR compliant badges and certificates, the credential owner maintains control over the visibility of their digital credentials. On creation, the issuer will set the digital credential as public or private by default. The credential owner has the ability to change their credential to publicly visible or private, depending on their preference, after signing in to their credential view.
Accredible maintains compliance to GDPR by ensuring we follow the strict regulations in place as a “data handler”:
- Our customers as “data controllers '' maintain full control over their data including the ability to exercise the ‘right to be forgotten’
- Our systems, infrastructure, software, and data privacy controls undergo annual audits and regular testing to ensure we continue to meet the regulations for data security and privacy
- Our contractual relationships with our suppliers ensures full legal and process protection for data in accordance with EU privacy law
Organizations serving EU customers are assured that Accredible maintains strict regulations to ensure full compliance with GDPR to provide enterprise-levels of data security and privacy.
For more information on Accredible data protection or to get started with digital credentials, get in touch with the sales team.
Learn more about Accredible’s data protection policies in our Data Centre Security Whitepaper. The Whitepaper details the compliance certifications held by the AWS platform, our assurance for data protection, and why we use AWS data centres.