The General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a regulation introduced by the European Union to set a new standard for protecting the personal data of its residents. This regulation aims to give more rights to the individuals to be in control of their personal data. GDPR also sets its sights on greater transparency, on how this data is collected and processed to prevent unauthorized use or access. Despite being an EU regulation, any business or organization (data controllers and data processors) that collects, processes, holds, or transfers personal data of individuals residing in the European Union is affected by this regulation, independent of where the business or organization is located.

Compliance with the GDPR is mandatory as of May 25, 2018.

Key concepts and definitions

The concepts and definitions outlined here, unless referenced as direct quotations from the regulation text[1], are a summary of the relevant stipulations in the GDPR that have implications on OneSpan Authentication Server, its components, and side products.

Personal data

In the regulation, personal data is defined as "[...] any information relating to an identified or identifiable natural person ('data subject') [...] who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person [...]"[2].

"Right to access personal data"[1]

The GDPR gives individuals the right to obtain information from the data controller and data processor if personal data concerning them are being kept and/or processed and request access to the personal data. The data processor has to provide this information free of charge within a month to the individual requesting this information.

"Right to erasure - 'right to be forgotten'"[1]

Individuals may request that their personal data be erased. This can be done if the processed data are incorrect or fail to satisfy the requirements of the GDPR, the individual withdraws consent of processing, or if the data are no longer necessary for the purpose for which they were collected or processed.

"Right to restriction of processing"[1]

Individuals may restrict the data that is processed if e.g. they contest the accuracy of the personal data, or the data is processed unlawfully, if the data is no longer necessary. In this case, the data controller may only store this data but cannot further process data without the individual's consent.

"Right to data portability"[1]

The GDPR foresees for an individual the right to receive data connected to them, that is stored or processed, and personal data, which they supplied, in a structured, common, and machine-readable format.

"Data protection by design and by default"[1]

An individual's personal data must only be processed if this is necessary for the specific purpose, and the data must be protected by means of adequate technical and organizational measures. Data protection principles must be implemented effectively when processing the data and the required safeguards must be implemented.

"Security of processing"[1]

To ensure a security level that is adequate to mitigate the risk, the data controller and processor must implement adequate technical and organizational measures. These include, for instance, the pseudonymisation and encryption of personal data.

Security breach communication framework

In case of a breach, data controllers and data processors are subject to report this breach. Data processors must report the breach to data controllers, who must report this to their supervisory authority within 72 hours of the breach.