PROTECTION & SECURITY
GDPR
EU - GENERAL DATA PROTECTION REGULATION

GDPR came into effect 25th of May 2018.

The EU General Data Protection Regulation (GDPR) supersedes all member states’ data protection laws. The new Regulation expands the rights of natural persons, giving individuals more control over how their information is collected and processed, while putting pressure on organisations that process EU residents’ personal data to tighten their data protection processes.

It is a unified approach to the protection of personal data, covering; data maps, data processing, data subject rights, breach notification, protection training and assessments.

The GDPR applies to all organisations established in the EU and to organisations, whether or not established in the EU, that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behaviour that takes place within the EU. Personal data is any information relating to an identified or identifiable natural person.

ibCom's compliance to ISO27001/17 means that a lot of the proof of compliance to GDPR principles/obligations is already met - particularly in regards to people, process & technology based on controls based on ibCom specific risk assessments and the measures outlined in ISO27001/27.

 

But given the GDPR regulations are about the totality of the protection of personal data, ibCom's compliance makes GDPR compliance a lot simpler, but is only part of an organisations obligations to the GDPR.

 

An organisation needs to do its own audit in regards to people and processes, knowing the technology that is supported by mydigitalstructure is fundamentally aligned with GDPR principles, as verified via our ISO2001/17 certification.

People	ibCom's responsibilities to manage its people as per the GDPR are covered within its ISO27001/27 certified Information Security Management System (ISMS).
Process	ibCom's responsibilities to manage its processes to protect personal data as per the GDPR are covered within its ISO27001/27 certified ISMS.
Technology	As per its ISMS, ibCom uses cryptography and tokenisation to protect any personal data it collects and supplies the methods its customers (users of the ibCom mydigitalstructure cloud service) can use as part of their obligations to the GDPR.

More about compliance

ibCom's ISO/IEC 27001 Statement of Applicability

PERSONAL DATA THAT IBCOM COLLECTS

Internal Zone	Notes
Lab	No personal data is stored that relates to a real person.
Engagement	Personal contact data used for marketing and support is stored in tokenised form.
Operations	The mydigitalstructure service delivery stores information about users (ie name, email & phone number used for authentication checks) in a tokenised form.

TECHNICAL METHODS MYDIGITALSTRUCTURE USERS CAN USE AS PART OF THEIR GDPR OBLIGATIONS

Pseudonymisation of sensitive data is a key part of the technical protection of data when it is at rest.  This can be achieved on mydigitalstructure using it's protection via encryption and tokenisation methods.

Example flow for tokenisation of personal contact information using mydigitalstructure and encryption (as on same service);

Before calling the CONTACT_PERSON_MANAGE method to store/persist the data:

1. With sensitive data - like firstname, surname, dateofbirth end use CORE_PROTECT_CIPHERTEXT_MANAGE to store data with object=32 and objectcontext=[id]. 

   It can be one call for each parameter or bulked together as object data {firstname: ‘Jane’, surname: ‘Smith’, … }

   Set DataReturn='GUID' so it is returned. ie da49eaa1-ff04-4778-b6be-04ccdfdc369c - this is the token.
   
   
2. If tokenising each field then with the CONTACT_PERSON_MANAGE set parameter=token eg firstname=da49eaa1-ff04-4778-b6be-04ccdfdc369c - or if as one data object; firstname=da49eaa1-ff04-4778-b6be-04ccdfdc369c|firstname
   
   
3. To view stored data, retrieve the tokens and data (encrypted) using CORE_PROTECT_CIPHERTEXT_SEARCH and then retrieve contact person data using CONTACT_PERSON_SEARCH and replace tokens as required in the view-controller.

If you do not want to encrypt data as part of tokenisation then you need to use a third party service.