OneLogin welcomes the GDPR as an important and necessary evolution in the data protection laws across the EU. OneLogin’s privacy and security program meets and exceeds the highest standards in the industry, including compliance with the GDPR.
The new General Data Protection Regulation (“GDPR”), which replaces the European Commission’s Data Protection Directive, goes into effect on May 25, 2018. Its goal is to unify European Union (EU) privacy regulations and better protect EU citizen personal data both within the EU and outside the EU. As a data processor and controller, OneLogin has verified that we meet all GDPR requirements and we will continue to actively uphold GDPR compliance. We are also providing resources and documentation to support our customers in their roles as data controllers.
At OneLogin, ensuring that all customer data is handled securely and responsibly is our number one priority. Here is an overview of what to expect from GDPR, how we are complying with this new regulation, and how we are empowering customers to comply.
What is the purpose of GDPR?
GDPR is a comprehensive data protection law that serves two purposes:
Protect individual’s data: GDPR gives control over personal data back to the EU residents and prohibits organizations from exploiting that data.
Guidelines for Organizations: GDPR makes data protection law identical throughout the single market. It provides businesses with simpler legal guidelines, which can be more easily enforced by government bodies.
Who does GDPR apply to?
GDPR applies to any organization operating within the EU, as well as organizations that offer goods or services to customers or businesses in the EU. This broadens the scope of protection of EU residents for improved privacy control.
How will GDPR affect me?
If you are a resident of the EU, congratulations! The European Union is taking steps to ensure that your data is used safely and appropriately.
If your organization provides services within the EU, you will need to be compliant with GDPR. This will impact the way that you store, process, and utilize user data in a number of ways. See this overview of key changes introduced by GDPR as it replaces the European Commission’s Data Protection Directive.
Right to access and portability: Users can request confirmation as to whether their personal data is being processed, where and for what purpose. Further, the data controller is required to provide a copy of the personal data, free of charge, in an electronic format.
Breach notification requirement: Breaches, which are likely to “result in a risk for the rights and freedoms of individuals”, must be reported within 72 hours of first having become aware of the breach.
Privacy by design:Companies must take into account data privacy during design stages of all projects along with the lifecycle of the relevant data process. Companies must also take into account data privacy during design stages of all projects along with the lifecycle of the relevant data process.
Right to be forgotten: Companies must allow users to erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
This is not an exhaustive list. But fail to meet any of these requirements, and you may be fined up to 4% of your annual growth turnover, or €20 million.
What steps is OneLogin taking to be GDPR compliant?
OneLogin is a global organization that both processes and controls data from around the world, including the EU. Our existing certifications and long-standing commitment to privacy frameworks prepare us for GDPR in many ways.
To meet GDPR requirements, organizations are required to articulate data flows, and demonstrate how privacy is controlled and maintained. Our “Blank Page” approach to redrawing our data flows and building out very detailed data mapping diagrams helps us to achieve this.
Updated Standard MSA and Data Processing Agreement: Organizations are also required to update their contractual language to reflect the additional accountability required by GDPR. To this end, OneLogin leverages data breach notification language, uses subcontractors, and communicates responsibilities to our own data processing vendors.
Data Protection Officer: OneLogin utilizes an independent external consultant based in the EU to serve as our DPO.
How is OneLogin helping customers to be compliant?
OneLogin is dedicated to empowering customers with the resources they need to comply with GDPR. Here’s how:
Right to access and portability
- IT administrators can easily find a user in the system and print out their information as stored in any of the user directories.
- User privileges and role assignments in OneLogin indicate where the user’s metadata is used (i.e. all applications they have access to.)
Breach notification requirement
- OneLogin’s event streaming service can help identify breach attempts much faster when correlated with additional enterprise security events.
- Following the identification of a potential breach, administrators can use OneLogin’s event dashboard and reporting tool in order to investigate further.
Right to be forgotten
- OneLogin allows for the automated deprovisioning of users from other systems and external applications.
- Admins can delete users immediately to meet both privacy and enterprise security requirements.
- Admins can also manually audit provisioned apps.
Privacy by design: OneLogin is a trusted partner
Privacy by design is a particularly challenging requirement, but as a vendor we are well-prepared for it.
- The OneLogin service has always handled information that must be protected; whether due to privacy regulations, credit card industry regulation, its designation as shared secrets, or several other data protection requirements.
- OneLogin incorporates privacy impact assessments that are performed periodically and as part of the design process for new features.
Privacy by design: A better architecture with OneLogin
Especially if you are an architect in IT or engineering, you might be thinking not only about your third parties’ compliance, but the compliance challenges in your own systems. Consider the advantages of building your integrations on top of OneLogin’s platform.
Many of the compliance challenges are the result of older architectures that allow for limited control over how data is stored, managed, and processed. For example, it used to be very common for legacy applications to access the corporate directory directly. This meant they typically had access to all user information with few restrictions on what they modify, cache or store.
We have come a long way since.
To understand how, let’s start with some essentials. The core of OneLogin’s identity platform is modern protocols, including SAML, OpenID Connect and SCIM. These modern protocols use secure tokens, security assertions and automated provisioning.
- Secure tokens: The user never signs-in to an app directly. Instead, the user always signs-in securely using a Single Sign-On (SSO) portal. Any trusted app can receive a secure token that represents the user.
- Security assertions: Identity information (e.g. user name, employee ID) is digitally signed by a trusted party, specifically an identity provider.
- Automated provisioning/deprovisioning: When a user is granted access to an application, their relevant metadata is pushed to the app. Similarly, when a user’s access is revoked, their relevant metadata is deleted from the app.
OneLogin’s Identity Platform enables you to leverage modern protocols for virtually any public cloud or private/custom app.
- Applications do not authenticate users directly, which means better security and privacy.
- Applications do not have direct access to the corporate directory for read/write to the entire user base.
- Applications get only the user metadata they need — only for users with access to the app, and user’s access can even be anonymous.
- Applications can get role/privilege information without direct access to the user’s information.
If you have questions or need more information please email firstname.lastname@example.org.