In many industries, companies often have to establish trust in digital identity verification solutions that can guarantee the person claiming a particular identity is in fact the person to whom the identity was assigned. This requires understanding the controls a vendor who manages personal data — including images of government-issued IDs and biometric data — has in place to ensure robust compliance with privacy requirements.
As the regulation states, “Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Beyond the secure handling of personal data, there are additional considerations when the outcome of that verification results in a practice that could impact an individual protected by the GDPR, such as an “automatic refusal of an online credit application or e-recruiting practices.” Fully automated verification solutions that fail to give the end user the right “to obtain human intervention on the part of the (data) controller, to express his or her point of view and to contest the decision” (Article 22(3) GDPR) are not permissible under the GDPR.
To address these privacy requirements, Jumio has robust controls in place, including those described below.
1. Human Review
The GDPR gives data subjects (i.e., your organization’s end users) the right not to be subject to decisions solely based on automated processing that produce “legal effects” for them or otherwise “similarly significantly affects them.” As increasingly more online verifications are carried out by algorithms, concerns have been raised about the lack of transparency behind the technology, which leaves individuals with little understanding of how decisions are made about them.
Since Jumio takes a hybrid approach to online identity verification — combining machine learning, AI, computer vision and biometrics with human review — we’re able to provide much greater transparency about the rationale for acceptance or rejection for any given identity verification transaction.
2. Machine Learning
With the GDPR, vendors should deploy and train their AI models in a way that seeks to prevent bias and potential discriminatory effects on the data subjects.
Jumio’s machine learning approach builds in prevention of bias and discrimination in the decision-making process by continuously testing against those factors. Furthermore, Jumio incorporates data privacy and security at every stage of the machine learning workflow including initial data capture, ID preprocessing, data tagging, algorithm training and model deployment.
3. Data Retention
The GDPR requires that personal data should be “limited to what is necessary for the purposes for which they are processed,” and requires personal data storage being “limited to a strict minimum.”
Jumio has strict controls in place to support the GDPR’s data minimization and storage limitation requirements ensuring that personal data that is no longer needed is discarded appropriately and in a timely fashion. Our enterprise customers can customize data retention policies based on their unique business needs.
4. Breach Notification
The GDPR requires companies to ensure that they have the controls in place to achieve notification of personal data breaches to the appropriate parties “without undue delay.”
Jumio regularly tests our robust notification processes and procedures that would be used in the event of a security incident, including a personal data breach. This ability helps our business customers manage their own breach notification and mitigation processes.
5. Data Encryption
The GDPR requires “appropriate” measures to ensure security of personal data, such as encryption, ensuring confidentiality, restoring data access and regular auditing/testing.
Jumio regularly subjects our security practices to stringent regulatory security audits, vulnerability scans and penetration tests to ensure its security measures comply with industry standards, including PCI DSS and ISO 27001 certifications. All personal data, including images of government-issued IDs and biometric data, is encrypted in transit via TLS encryption using strong cipher suites and at rest with military-grade, 256-bit AES encryption.
Jumio has a robust and transparent privacy management program, which includes controls as a “controller” and “processor” as defined by the GDPR. Jumio supports our customers' roles and responsibilities by providing identity verification solutions that take into account global privacy compliance and offer customers the opportunity to meet their regulatory requirements.
Moreover, Jumio undergoes comprehensive security reviews and is compliant with ISO 27001 and PCI DSS. This means that we’ve adopted a strict set of security standards designed to ensure that identity and personal data are encrypted, stored and maintained in a secure and vetted environment.
Statement of Compliance
Jumio applies the GDPR principles as the baseline for its privacy compliance globally. Effective February 1, 2018 all necessary steps to achieve GDPR compliance have been completed. Jumio’s privacy management program is applicable to all categories of personal data, including biometric data.