GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost companies dearly.
Who is impacted?
Any companies that collects data on citizens in European Union (EU) countries need to comply with strict new rules around protecting customer data, in effect as of May 25, 2018. Companies need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address, and Social Security number.
GDPR Compliance and Your Identity Verification Process
For many industries, companies often have to establish trust in digital identity verification solutions that can guarantee “the person claiming a particular identity is in fact the person to whom the identity was assigned.” But, this imposes strict requirements on the vendor that is managing person information, including images of government-issued IDs, biometric and other personal information.
“Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Beyond the secure handling of PII data, there are additional considerations when the outcome of that verification results in an “automatic refusal of an online credit application or e-recruiting practices.” Fully automated verification solutions that fail to give the data subject the right “to obtain human intervention on the part of the (data) controller, to express his or her point of view and to contest the decision” (Article 22(3) GDPR) are not allowed under GDPR.
5 Critical Ingredients for GDPR Compliance & Online Identity Verification
Watch the 2-Minute Explanation
GDPR gives data subjects (i.e., your online customers) the right not to be subject to decisions solely based on automated processing that produce ‘legal effects’ or other significant effects. As increasingly more online verifications are carried out by algorithms, concerns have been raised about the lack of transparency behind the technology, which leaves individuals with little understanding of how decisions are made about them.
Since Jumio takes a hybrid approach to online identity verification, combining machine learning, AI, computer vision and biometrics, coupled with human review, we're able to provide much greater transparency about the rationale for acceptance or rejection for any given identity verification transaction.
Compliant Machine Learning
Many identity verification vendors aggregate data across multiple customers to develop their machine learning algorithms. With GDPR, vendors can only develop specific AI models trained on the data of a given customer and cannot leverage data from other customers to create more comprehensive models.
Jumio’s compliant machine learning approach builds in data privacy and security at every stage of the machine learning workflow including initial data capture, ID preprocessing, data tagging, algorithm training and model deployment.
GDPR requires that personal data should be ‘limited to what is necessary for the purposes for which they are processed,’ and requires personal data storage being ‘limited to a strict minimum.’
Because Jumio is PCI-DSS compliant, we are already mandated to adhere to strict data retention procedures ensuring that personal data that is no longer needed is discarded appropriately and in a timely fashion. Our enterprise customers can customize data retention policies based on their unique business needs.
GDPR requires data processors to notify the controller ‘without undue delay’ once aware of a data breach. Most identity verification vendors don’t have established or tested processes in place for data breach notifications.
Because Jumio is already PCI-DSS compliant, we regularly test our notification processes and procedures for dealing with data breaches. This ability helps our business customers manage their own breach notification and mitigation processes.
GDPR requires data processors to have ‘appropriate’ measures to ensure security of personal data, including encryption, ensuring confidentiality, restoring data access and regular auditing/testing.
Because Jumio is PCI DSS Level 1 compliant, we regularly subject our security practices to stringent regulatory security audits, vulnerability scans and penetration tests to ensure compliance of the product. All personal data, including ID documents and selfies is encrypted twice: all data is encrypted in transit via TLS encryption using strong cipher suites and at rest with military-grade 256 bit AES encryption.
“People come to me and say, ‘How do I achieve GDPR compliance?’… Start with PCI DSS.”
International Director at the Payment Card Industry Security Standards Council (PCI SSC)
How Jumio Can Help
Jumio is not only fully GDPR compliant as a data processor, with a robust and transparent program for maintaining all standards laid out in GDPR, but also our identity verification solution is a key GDPR enabler, offering customers the ability to maintain data protection and contribute to their compliance with GDPR requirements.
GDPR categorizes data holders into two groups: processors and controllers.
Controllers collect, process, store, and basically "own" the data and the relationship with EU citizens.
Processors are essentially sub-contractors of controllers who may process, store, and utilize EU citizen data on behalf of a controller.
There are additional required measures, processes, and documentation requirements for controllers. Jumio is considered a data processor.
Moreover, Jumio is also PCI-DSS compliant. This means that we’ve adopted a strict set of security standards designed to ensure that identity and PII-related information are encrypted, stored and maintained in a secure and vetted environment.
Statement of Compliance
Jumio uses the European data privacy directives as the baseline for its data privacy compliance globally. Effective February 1, 2018 all necessary steps to achieve GDPR compliance have been completed. Jumio’s data privacy compliance program is applicable to all categories of personal data, including biometric data.
Learn how Jumio's Netverify identity solutions can bring GDPR compliance to your online customer identity verification process.