GDPR Principles: Vetting Data Processors In A Digital World

GDPR no longer needs any introduction, and here at FINTRAIL, we loved collaborating with the team at Jumio to help them launch their GDPR e-booklet, which you can download here.  

Together, we came up with 5 key principles that we think best help data controllers understand the activity of their online identity verification providers, and whether or not they’re fully GDPR compliant. Data processors in this space handle vast amounts of sensitive, personal data that, while integral to ensuring customers are who they say they are, can also be exploited or mishandled.  As such, GDPR compliant practices are key.

In brief, these are the main questions that controllers can ask of their processors which will help frame their thinking on this important aspect of compliance:

  1. Human Review: How are verification decisions made and what recourse do data subjects have to challenge those decisions?

    • GDPR gives individuals the right not to have significant decisions made about them solely on the basis of automated processing.

  2. Compliant Machine Learning: Does the data processor employ Compliant Machine Learning?

    • Under GDPR, vendors can only develop specific AI models trained on the data of a given customer and cannot leverage data from other customers to create more comprehensive models.

  3. Data Retention: Can data retention policies be tailored to your business requirements?

    • Clear processes around data retention and deletion help processors and controllers deal with the stipulations around Subject Access Requests.

  4. Data Breach Notifications: Do you have a data breach notification process in place and has it been tested?

    • Processors, as well as controllers need to be able to inform relevant parties of any data breach in a timely fashion; having clear and verified processes around this is one step in the right direction.

  5. Data Encryption: Is personal data encrypted and protected appropriately?

    • Proper data protection and encryption reduces the likelihood of a breach and increases the privacy of citizens’ information. GDPR stipulates that personal data is properly protected.

You can read more detail in the e-booklet of course, and find out even more information about GDPR, its implications for processors, how best to approach these questions, and exactly how Jumio is helping controllers maintain and manage their GDPR compliance through its innovative identity verification solutions and careful approach to data privacy.