For over 20 years, the Data Protection Directive was the primary law regulating the data protection of European Union (EU) citizens. Now, effective as of 25 May, 2018, the new General Data Protection Regulation (GDPR) will replace it. The GDPR focuses on the control, security, and privacy of sensitive information pertaining to EU citizens. It is also applicable to companies that are outside of the EU, but which store or process personal information of EU citizens. The underlying purpose of the GDPR is to protect individual privacy and prevent data breaches from occurring, by making personal data more controlled, in terms of its usage and storage.
The GDPR deals with two different "bodies" when it comes to personal information. These are:
Privacy And Security By Design is a section of the GDPR stating that the standard of privacy surrounding personal data must be raised. It orders the controllers to implement the appropriate level of technical and organizational measures to ensure that personal data is used solely for the specifically defined purpose. By limiting the accessibility and the processing storage of this data, it restricts how information is used. Organizations and businesses, by order of the GDPR, must now consider privacy at all times, including during the development of new products or services.
Our Approach:
miniOrange deals with Privacy And Security By Design in two different ways. Firstly, the type of information and data we ask for in order to provision our products and services for consumers. Secondly, the way in which we protect this information when stored. miniOrange doesn't use personal information for any other purpose apart from initially provisioning products and services. All private data collected by miniOrange is heavily secured and can only be accessed by the appropriate individual.
Data Breach Notification is a section of the GDPR stating that if a data breach involving personal information occurs, the controllers must notify all of the related parties, as well as the supervisory authorities. This notification must be done no later than 72 hours after the data breach has been identified.
The elements of the actual notification to be sent in such a scenario are detailed as follows:
Our Approach:
miniOrange takes pride in its methods of security concerning personal data: access to our technical infrastructure (In which personal information is contained) is limited only to personnel with a documented and approved business need; all of our data at rest is encrypted; login requests and privileged commands are tracked using the appropriate software; our authentication process is secured with the implementation of methods such as MFA and password complexity.
However, if miniOrange has the least reason to suspect a data breach, the technical and organizational personnel follow a specified response plan and policy. Data recovery aside, the Data Breach Notification is something miniOrange is ready to fulfill to the level described above, as soon as the moment arises.
Data Minimization is a section of the GDPR stating, very succinctly, that controllers and processors must use the minimum amount of data needed to successfully perform their desired task. To comply with this, it is important to consider the range of personal information that needs to be collected and the span for storing the data, as well as the processes, software and systems involved with it.
Our Approach:
miniOrange only collects and processes personal data that we need to provide services and products. This personal information includes names, email addresses and other company information. If customers desire their end-users to input this data individually, the customer themselves becomes the controller over that information, and miniOrange becomes the sub-processor. Customers have a large amount of control over this personal information. They can add, delete or modify existing data as they see fit. miniOrange does not utilize this user-generated content in any way other than to display it at the customers' end, for authentication and verification.
Privacy Impact Assessment is a section of the GDPR stating that an "Impact Assessment" must be conducted at least every 3 years by organizations dealing with personal information that may be detrimental to the privacy of individuals. This includes sensitive information relating to criminal convictions and offenses, or publicly accessible platforms used on a large scale. To identify privacy risks within such platforms, Privacy Impact Assessments are conducted describing how personal information is protected, shared and maintained. The freedom and rights of individuals is considered in this section of the GDPR, by making breaches or ways of exposing the personal information of EU citizens more difficult.
However, this component of the GDPR is quite focused, and is clearly not applicable to every company or organization, as not all will be collecting information on a scale that will affect the concerned individuals' basic rights and freedom.
Our Approach:
miniOrange handles a very limited amount of personal information, and primarily deals with only company information. We do not meet the requirements of the Privacy Impact Assessment, and are exempted from implementing it.
Right To Erasure is a section of the GDPR stating that individuals must have the ability to have their data "forgotten", or completely erased from all company databases. However, this is applicable when a set of circumstances hold true--essentially, individuals may invoke this right if the data processing in place fails to satisfy the requirements of the GDPR.
Eligible erasure requests must fulfill the criteria that are listed below:
Right To Portability is a section of the GDPR stating that EU citizens must have the option to obtain their personal data from a controller for its "re-use" with various other services or products. If technically possible, the individuals could request to make the transfer of personal data directly from one service to the other.
Our Approach:
Through the miniOrange directory services, IT Administrators of customer companies have complete control over the personal data of their end-users, which is securely stored in the identity management platform. They can access the data and then choose to delete or share it. The end-users themselves also have control over their personal information and can utilize it to access other services, as well. These features of our platform allow for our compliance with this section of the GDPR.
Data Protection Officer is a section of the GDPR stating that if data processing in a company is of a certain type, then a "Data Protection Officer" will be put in place, in order to ensure that the collection and processing of the personal information is in accordance with the GDPR.
A Data Protection Officer is required to be implemented under if the following circumstances hold true. They are:
Our Approach:
miniOrange does not meet any of the circumstances where a Data Protection Officer would be required. We need only a handful of personal data from our customers, such as names, email addresses, organization names and phone numbers. Since we are not a public authority, nor are we partaking in the collection or processing of high amounts of data belonging in the specific categories designated by the GDPR, a Data Protection Officer would be unneeded.
Our WordPress Two Factor Authentication Plugin has its own GDPR Compliance page. To view it, click here.