The General Data Protection Regulation (GDPR) represents the biggest shakeup in European data protection legislation in three decades. The present data protection directive predates the advent of cloud, social media, the Internet of things, and other technologies that today we take for granted. Many of the data-rich companies that are household names were also founded after the existing legislation. So GDPR is a welcome and timely update.
GDPR continues the broad data protection principles already well established in legislation. But it places a variety of new requirements and considerations for any organization processing personal data. Importantly, the consequences to companies of getting data protection wrong are severe:
1
A fine of up to 2% of global revenue for technical infringements and up to 4% for breaches of principles established under the law.
2
Introduction of mandatory breach notification of personal data breaches, which includes alerting data subjects to the breach (if material).
3
The prospect of class action lawsuits brought on behalf of affected data subjects.
4
Potentially, the banning of personal data processing altogether (in extreme cases).
Intuitive Password is fully compliant with GDPR
At Intuitive Security Systems Pty Ltd, our ongoing compliance review and actions build on our existing investments in privacy, security, and operational processes necessary to meet the requirements of GDPR and other applicable regulations. Intuitive Security Systems Pty Ltd participates in the EU Privacy Shield framework and is already compliant with all current EU data protection rules. By 25th May 2018, the company will be GDPR compliant as well.
To make sure that customers understand Intuitive Security Systems Pty Ltd's general philosophy towards GDPR, our goals by the date it will be enforced, and how they may be able to use Intuitive Password in a GDPR compliant way, it is important to remember a few points:
1
In GDPR terminology, Intuitive Password is a "Data Processor" and you, our customer, are the "Data Controller" for all uploaded or generated customer data. This means that you are in charge of determining the fate of all data uploaded by you or users on your account. Intuitive Password will comply with your instructions and the terms of any written agreement or contract as to how to deal with data within the capabilities of the product.
2
As Data Controller, you also own the relationship directly with users in your account, these users are considered to be "Data Subjects" under the GDPR. Data Subjects have certain rights under the law, and Intuitive Password provides tools for you to assist Data Subjects in their exercise of their rights. If your relationship with Intuitive Password ever ends, your data will be destroyed shortly after the end of the contract. This is to protect the privacy and data security of the data.
3
At any time, you have the right, and the necessary tools, to get all uploaded or customer generated information out of Intuitive Password. We make it easy for you to maintain your own backup copy. It is very important to remember that by using Intuitive Password you are not necessarily or automatically fully GDPR compliant. We encourage you to verify that you meet all aspects of the regulations, and to get legal advice if needed.
As noted above, Intuitive Security Systems Pty Ltd is well on its way to GDPR compliance and we believe that Intuitive Password may be able to assist our customers in their compliance efforts by leveraging the following functionality:
Security:
Intuitive Password is built on AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to ensure data protection in the cloud. Intuitive Password also operates on a hardened cloud infrastructure and passes many in-depth security reviews each year. This may help customers to address any requirements they may have around utilization of encryption, pseudonymization, and/or anonymization.
Zero-knowledge Architecture:
Intuitive Password is built from the ground-up on the idea that the individual user is the only person that can access their data. This is in perfect alignment with GDPR principles and data protection requirements. By separating the data and encryption keys, no Intuitive Password employee is ever able to access customers data. If Intuitive Password were ever breached, the ciphertext would worthless to the attackers and therefore no immediate action would be required.
No Additional Processing:
Intuitive Password will never mine customers data for any purpose. First, it is a matter of policy at the highest levels of Intuitive Password that we are committed to customer privacy. Second, because of our zero-knowledge architecture, it is technically impossible for us to do so. This follows GDPR principles of both organization and technical policies to protect personal data.
Data Deletion:
Intuitive Password allows customers to export their data and delete their account, if required. This feature may allow a customer to meet requirements around deletion of personal data after its intended use is complete, consent is withdrawn, or if a legitimate business purpose no longer exists.
Privacy Protection:
Intuitive Password is built on the principle of zero knowledge. This means by default, only the data subject themselves can access their sensitive data and such functionality may be deemed an acceptable privacy protection practice.
Frequently Asked Questions
As an Australian company, does Intuitive Password need to follow the GDPR?
Yes. As a global software-as-a-service provider, we have many customers in the EU (and European Economic Area or EEA) which means the GDPR applies equally to us. Therefore, we will be compliant with the applicable provisions of GDPR no later than 25th May 2018.
I've read of "data controllers" and "data processors". What's the difference and which one is Intuitive Password?
To paraphrase the formal text: (a) a Data Controller is the owner of their information and decides how that information should be used; and (b) a Data Processor is a person or entity who processes the personal data of the Data Controller and carries out instructions of the Controller regarding this data. Generally speaking, our customers will be the Controllers of their Content (as the term is defined in our Terms of Service), including any associated personal information they place or generate in our systems, and Intuitive Password will be the Processor on their behalf. In some limited and disclosed instances, such as when we collect data from a customer to create an account, Intuitive Password will be the Controller.
What is "zero-knowledge" provider?
Intuitive Password is a zero-knowledge security provider. The Intuitive Password user is the only person that has full control over the encryption and decryption of their data. With Intuitive Password, encryption and decryption occurs on the user's local device or web browser upon logging into their accounts. Each individual record stored in the user's account is encrypted with a secure 256-bit AES key. The record keys are protected by an additional key, called the Data Encryption Key. The Data Encryption Key is encrypted by a key derived from the user's login credentials. This multi-tiered encryption model provides the most advanced data protection available in the industry.
What changes is Intuitive Password implementing to maintain GDPR compliance?
As a zero knowledge platform, the information stored in our product is fully encrypted and only available to the user. We have made changes to our analytics systems to ensure anonymity for our customers and we have made changes to allow you to control your consent about how any personal data that may be collected about you may be utilized or stored.
Does the GDPR stop a company from storing information outside of the EU?
No, there is nothing in the current GDPR regulation that prevents or suggests this requirement. The GDPR does outline that Data Processors must protect personal data appropriately, regardless of where it is stored. Further, the GDPR does not invalidate or override the EU Model Clauses (which are part of Intuitive Password's GDPR Compliant DPA) or the EU privacy shield framework, which are both valid mechanisms to ensure the legal transfer of personal data into and out of the EU.
Do you offer a data processing agreement?
Yes. Intuitive Password is pleased to offer a revised GDPR compliant Data Processing Agreement (DPA) incorporating: (1) the EU Standard Contractual Clauses (also known as the EU Model Clauses); (2) Intuitive Password's Technical and Organizational Data Security Measures; and (3) a GDPR specific agreement. This GDPR compliant DPA ensures that any transfer of personal data outside the European Economic Area in connection with your relationship with Intuitive Password will be performed in compliance with the GDPR.
Where is my data stored?
All Intuitive Password data resides inside the Australia. Our primary and backup data centers are both located in Melbourne and Sydney.