As the General Data Protection Regulation (GDPR) came into effect last week (May 25), we reflect on how mobile access customers, who enable users to use their phones as a “key” to unlock doors, have been adapting and becoming compliant-ready for months. User data is, of course, utilized in cloud services-based mobile access to connect individuals’ phones (and their identities) to the back-end of the physical access control system.
Considering the fact that millions of doors are opened every hour in every country, mobile access is one of the most relevant innovations of the connected world of the digitized 21st century. It provides the highest security with a high level of convenience associated with a mobile-first lifestyle, already adopted by millions of people all over the world.
At the center of the connected architecture, enterprise customers are increasingly demanding that data is securely collected, stored, retrieved and “forgotten” when requested. Therefore, it is important to ensure that the mobile access service in use is GDPR-ready, including attaining Privacy Shield certification for data transfer to the U.S.
Users now require access to secure, reliable and consistent services where only best practices in information security and privacy apply. Over the years, we have invested a lot of time, effort and resources to ensure that we have the right processes and procedures needed to take the HID Mobile Access service to this level. This blog post is aimed towards simplifying the connection between mobile access and GDPR and to provide useful, relevant information.
As a leader in mobile access, HID Global has identified four major things that existing customers and future customers need to know. But we don’t just talk the talk; we also walk the walk, figuratively speaking. We are taking steps to ensure that HID Mobile Access meets the European Union (EU) GDPR requirements.
[1] Mandate for Personal Data Transfer from the EU to the U.S.
GDPR requires that an adequate transfer mechanism is in place in order to facilitate the transatlantic transfer of personal data from the EU to the United States for commercial purposes.
To meet this requirement, HID Mobile Access is certified with the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield Framework(s), designed by the U.S. Department of Commerce and the European Commission and Swiss Administration. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/ or see HID’s Privacy Shield Statement.
[2] Privacy Must Be Protected
GDPR enables EU residents to exercise greater control over how their data is used and how they raise complaints, even if the data subjects are not in the country where their data is being stored or processed. Along this line, the privacy practices that the HID Mobile Access service employs have been updated to align with GDPR and Privacy Shield Frameworks.
Available on the HID Mobile Access portal, the new policy has been in effect since February 2018 and was recently updated to further simplify the language and make it easier to understand what personal information we may collect, why it is collected, and your rights with regard to that information. Furthermore, we performed a Data Protection Impact Assessment of the Mobile Access solution to identify and mitigate privacy risks.
[3] Customer Data Must Be Secured
Keeping customer data secure is of the highest priority. HID conducted a Mobile Access Data Inventory for the protection of all collected data elements, including roles and responsibilities, data retention periods and implemented security controls.
Over the last year, we have updated our Security Incident Management Process as well as implemented new Alerts and Notification procedures, and new routines around HID Mobile Access Portal Administrator accounts maintenance. Furthermore, the HID Mobile Access application and the HID Mobile Access Portal are penetration-tested every year. Just like any leading technology company, we will continue to conduct risk assessments and improve the confidentiality, integrity and availability of our mobile access service.
[4] The Right to be Forgotten
Under GDPR, individuals have the right to request the deletion or removal of personal data when there is no longer a compelling reason for its continued processing. To ensure that our HID Mobile Access customers are in control of the personal data we process on their behalf, we have updated procedures to better assist our customers in complying with data subject requests.
Taking these steps toward meeting the requirements of the GDPR demonstrates our commitment to providing secure, reliable and consistent services to our customers.