PROTECTION & SECURITY
GDPR
EU - GENERAL DATA PROTECTION REGULATION

As an organisation that has activity in the EU and that uses mydigitalstructure to store, protect and process data you need to be aware of your obligations.

The following information outlines how entityOS with its ISO27001/17 certificated Information Security Information System can help with your GDPR obligations.

BACKGROUND

GDPR came into effect 25th of May 2018.

The EU General Data Protection Regulation (GDPR) supersedes all member states’ data protection laws. The new Regulation expands the rights of natural persons, giving individuals more control over how their information is collected and processed, while putting pressure on organisations that process EU residents’ personal data to tighten their data protection processes.

It is a unified approach to the protection of personal data, covering; data maps, data processing, data subject rights, breach notification, protection training and assessments.

The GDPR applies to all organisations established in the EU and to organisations, whether or not established in the EU, that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behaviour that takes place within the EU. Personal data is any information relating to an identified or identifiable natural person.

HOW THE IBCOM INFORMATION SECURITY MANAGEMENT SYSTEM & ISO27001/17 CERTIFICATION HELP WITH GDPR OBLIGATIONS
ibCom's compliance to ISO27001/17 means that a lot of the proof of compliance to GDPR principles/obligations is already met - particularly in regards to people, process & technology based on controls based on ibCom specific risk assessments and the measures outlined in ISO27001/27.
 
But given the GDPR regulations are about the totality of the protection of personal data, ibCom's compliance makes GDPR compliance a lot simpler, but is only part of an organisations obligations to the GDPR.
 
An organisation needs to do its own audit in regards to people and processes, knowing the technology that is supported by mydigitalstructure is fundamentally aligned with GDPR principles, as verified via our ISO2001/17 certification.
People ibCom's responsibilities to manage its people as per the GDPR are covered within its ISO27001/27 certified Information Security Management System (ISMS)
Process ibCom's responsibilities to manage its processes to protect personal data as per the GDPR are covered within its ISO27001/27 certified ISMS. 
Technology As per its ISMS, ibCom uses cryptography and tokenisation to protect any personal data it collects and supplies the methods its customers (users of the ibCom mydigitalstructure cloud service) can use as part of their obligations to the GDPR.

PERSONAL DATA THAT IBCOM COLLECTS

Internal Zone Notes
Lab No personal data is stored that relates to a real person.
Engagement Personal contact data used for marketing and support is stored in tokenised form.
Operations The mydigitalstructure service delivery stores information about users (ie name, email & phone number used for authentication checks) in a tokenised form.

TECHNICAL METHODS MYDIGITALSTRUCTURE USERS CAN USE AS PART OF THEIR GDPR OBLIGATIONS

Pseudonymisation of sensitive data is a key part of the technical protection of data when it is at rest.  This can be achieved on mydigitalstructure using it's protection via encryption and tokenisation methods.

Example flow for tokenisation of personal contact information using mydigitalstructure and encryption (as on same service);

Before calling the CONTACT_PERSON_MANAGE method to store/persist the data:

  1. With sensitive data - like firstname, surname, dateofbirth end use CORE_PROTECT_CIPHERTEXT_MANAGE to store data with object=32 and objectcontext=[id]

    It can be one call for each parameter or bulked together as object data {firstname: ‘Jane’, surname: ‘Smith’, … }

    Set DataReturn='GUID' so it is returned. ie da49eaa1-ff04-4778-b6be-04ccdfdc369c - this is the token.

  2. If tokenising each field then with the CONTACT_PERSON_MANAGE set parameter=token eg firstname=da49eaa1-ff04-4778-b6be-04ccdfdc369c - or if as one data object; firstname=da49eaa1-ff04-4778-b6be-04ccdfdc369c|firstname

  3. To view stored data, retrieve the tokens and data (encrypted) using CORE_PROTECT_CIPHERTEXT_SEARCH and then retrieve contact person data using CONTACT_PERSON_SEARCH and replace tokens as required in the view-controller.

If you do not want to encrypt data as part of tokenisation then you need to use a third party service.

 

 
Protection & Security
Official GDPR Site
EU GDPR
ISO27001 & GDPR
by itgovernance.co.uk,
includes infogram.
Compliance
CISPE
GDPR
(wikipedia)
Mythbusting
The Regulation
ibCom ISMS