Data Protection Compliance

Under the European Union’s (EU) or United Kingdom (UK) corresponding General Data Protection Regulations (GDPR), businesses that process/hold personal data (PII) of EUor UK citizens/residents must be able to disclose what data is collected for a data subject.

Should the interests of the Data Controller be overridden by the interests or fundamental rights of the data subject, the data subjects can request that their personal data be erased.

In order to help organizations acting in the capacity of a data controller comply with GDPR article 15, ActivID Appliance is able to facilitate subject access requests via public API calls.

Additionally, to facilitate compliance with GDPR article 17, ActivID Appliance has added new features, as well as making some fundamental changes in how audit log data is archived. By default, all data that is considered to be personally identifiable information (PII), is systematically tokenized in the audit log archive. This does not have an effect on the audit log data accessed and viewed via the ActivID Management Console.

However, PII found within audit records that is archived from the database will be substituted with tokens. It is possible to de-anonymize the PII through the use of the tokenization/detokenization service available through the ActivID Appliance public API.

ActivID Appliance provides the means for administrators to “forget” a user via both the public API and ActivID Management Console. This operation effectively erases the mapping of the user details and token.

It is also possible to “delete” a user, thereby making that user inoperable with the system but not “forgotten” in the audit archives.

GDPR (General Data Protection Regulation) is a EU regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

It also addresses the export of personal data outside the EU.

The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) of 1995.

For further details, go to https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

Note: In the scope of the UK's exit from the EU, regulations covering data protection are provided in the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
Term Definition

Data subject

A citizen of the EU who is identifiable by their personal data.

Personal data

“Any information relating to an identified or identifiable natural person.”

This includes the EU citizen’s name, email address, social media posts, physical, physiological, or genetic information, medical information, location, bank details, IP address, cookies, cultural identity, etc.

Controller

A business operating within the EU — or outside of the EU but dealing with EU residents — that captures sensitive data about EU residents in the course of its operations.

Processor

“A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

Privacy by design

Controllers and processors must implement appropriate technical and organizational measures, such as pseudonymization, that are designed to implement data protection principles.

Consent

Processing personal data is generally prohibited, unless it is expressly allowed by law, or the data subject has consented to the processing.

Right to Access

GDPR brings the right for Data Subjects to get information about how, where and for what purpose their personal data is being processed.

Data portability

The right for a Data Subject to receive the personal data concerning them, which they have previously provided in a commonly use and machine readable format and have the right to transmit that data to another Controller.

Right to be forgotten

The right of every EU citizen “to have his or her personal data erased and no longer processed.” Individuals may request the deletion of all of their personal data stored on a controller’s servers.

See also:

Privacy by Design

ActivID Appliance Capabilities for GDPR Compliance