GDPR, Data Security & BluJay

On May 25, 2018, the General Data Protection Regulation (“GDPR”), a new privacy law, will take effect in the European Union (“EU”). The GDPR addresses privacy rights granted to individuals in the EU, and places obligations on organizations that handle or track EU personal data, or market to organizations in the EU, no matter where the organization is located.

What is GDPR?

GDPR is a comprehensive data protection law in the EU that is designed to unify data privacy requirements across the EU. The GDPR is directly enforceable in each EU member state.

The GDPR regulates the “processing” of data for individuals (called “data subjects”) in the EU.  Processing can mean collection, storage, transfer, or use. Organizations need to ensure they have a lawful basis for processing personal data. Also important is that GDPR defines “personal data” broadly; it covers any information relating to an identified or identifiable data subject.

How does GDPR change privacy law?

Consent

  • Must be clear and easy to withdraw

Penalties

  • Breaches could result in fines of up to 4% of annual global turnover, or €20 million (whichever is greater)

Data Subject Rights

  • Right to Access (provide confirmation to data subject on whether personal information is being processed)
  • Right to be Forgotten (right to have data erased, subject to qualifying conditions)
  • Breach Notification (within 72 hours of first becoming aware of a data breach)
  • Data Portability (right to receive information about them and take it to another data controller)
  • Privacy by Design (the data processor must design security measures for systems as the systems are being designed)

Broader Territorial Scope

  • It applies to all companies processing personal data of data subjects residing in the EU

BluJay’s commitment to protecting information

BluJay is committed to data security, including compliance with the GDPR requirements. Our Global Security Committee is tasked with managing compliance with data security directives. With regard to GDPR, the Committee has identified how GDPR applies to BluJay’s business, and has and will continue to implement changes to BluJay’s business processes, services, contracts, and policies to support data security and compliance with laws.

What does GDPR mean for BluJay customers?

For BluJay to be effective in GDPR compliance, we need to understand the types of data we handle, which is only possible through a partnership with our customers. Customers who process data through BluJay’s software solutions are generally considered “data controllers” under the GDPR. Those customers have obligations to obtain consent, among other things, from the data subjects to use their data. For more information, and details on the definitions of data controller and processor under the GDPR, please see https://gdpr-info.eu/chapter-4/. BluJay welcomes the opportunity to discuss GDPR and general data protection compliance with our customers, as well as to understand and help our customers through their obligations under GDPR. Contact us at GlobalPrivacyOffice@blujaysolutions.com.

Security and infrastructure standards

BluJay and its partners have put in place security measures to address data security:

  • Certifications – BluJay product certifications include ISO 27001:2013 and SSAE16 SOC I Type II. Third-party data center partners hold various certifications, including ISO 27017, 27018 and PCI.
  • Global Security Committee – this team of leaders is responsible for compliance with data security directives.
  • Internal policies and procedures – updated with respect to security and data privacy.
  • Vendor compliance – BluJay has investigated how our vendors handle and protect data in light of GDPR.
  • Employee training – BluJay is implementing global employee training on data security, as well as secure coding training for product developers.
  • Data encryption – moving connection points to supported protocols, such as TLS 1.1/1.2, SFTP, etc., for encryption of data in transit.
  • Data protection – BluJay is constantly scanning its products and network for potential vulnerabilities.

BluJay protects our computer systems and information storage facilities against the unauthorized destruction, loss, alteration of, or access to information. Such measures include situating data centers in secure co-location facilities that are carrier-neutral and provide physical security, redundant power, and infrastructure redundancy. BluJay requires its internet service providers to ensure a high level of uptime and have a rapid failover capability. BluJay also conducts vulnerability scans so that we can identify and address any critical vulnerabilities before they become critical.

BluJay has procedures in place to prevent our data processing systems from being used by unauthorized persons. We establish the identification of the terminal and terminal user to the BluJay systems; utilize firewall, router, and VPN-based access controls to protect the private service networks and back-end-servers; implement role-based access controls; log access to host servers, applications, databases, routers, and switches; require that requests to access and account management are submitted through internal approval systems and approved by an appropriate authority; help to ensure that passwords adhere to the BluJay password policy, which includes minimum length requirements and enforced complexity; and help to ensure that password resets are handled via BluJay’s ticketing system.

BluJay partners with strong global providers such as Oracle, Equinix, and Amazon Web Services, who make GDPR and data security a priority.