General Data Protection Regulation (GDPR)
What is the GDPR?
The General Data Protection Regulation (“GDPR”) is a new comprehensive data protection law in the EU that strengthens the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. The GDPR replaces the EU’s current data protection legal framework from 1995 (commonly known as the “Data Protection Directive”). The Data Protection Directive required transposition into EU Member national law, which led to a fragmented EU data protection law landscape. The biggest potential negative impacts is the possibility of penalty for organizations in non-compliance with GDPR and erosion of consumer trust, which can have bottom-line implications for the organization.
Every organization’s journey to GDPR compliance is different. It depends on, among other factors, company size, the types and amount of data it processes, and its current security and privacy measures.
The European Commission requires all global organizations that conduct business in the European Union to comply with the General Data Protection Regulation (GDPR) by May 25, 2018.
LogMeOnce commitment to GDPR compliance
As our ongoing compliance effort on building secure computing software for our users, security and privacy of our users are at upmost importance and priority.
LogMeOnce is committed to making necessary improvements to ensure GDPR compliance. LogMeOnce will comply with the GDPR in the delivery of our service to our customers. We have reviewed the GDPR’s requirements, and based on our findings, we are working to make enhancements to our products and services, our documentation and our contract documents in order to help our customers meet their GDPR compliance requirements.You are advised to consult with your organization’s legal team to understand how the GDPR may apply to your organization.
Who does the GDPR apply to?
The GDPR is relevant to any globally operating company, not just those located in the EU. The GDPR applies globally to any entity that collects, stores, or processes personal data of EU individuals, regardless of the company’s location. There are two classifications for these entities
- Data Controllers
A data controller exercises control over the processing of personal data, and decides which data to collect. - Data Processors
A data processor acts at the direction of a data controller to collect, store, process, or delete personal data.
LogMeOnce is a “Data Processor” and our business customers, are the “Data Controller”. We are Data Controller to our consumer edition users.LogMeOnce (the data processor is actively supporting your business (the data controller) in this compliance journey.
As a business customer, you the Data Controller, you are in charge of determining the fate of all data collected, uploaded by you or users on your account.LogMeOnce will comply with your instructions and to how to deal with data (within the capabilities of the product). Your users are considered to be “Data Subjects” under the GDPR. Data Subjects have certain rights under the law, and LogMeOnce provides tools for you to assist Data Subjects in their exercise of their rights.
What data is regulated by the GDPR?
The GDPR regulates organizations’ collection, processing, and storage of personal data of EU individuals. Personal data includes any information that can be connected back to a particular EU individual.
The GDPR defined personal data as any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, or a computer IP address, geolocation.
LogMeOnce has multiple data centers in multiple regions within Amazon Web Services(AWS) data centers in United States. Our EU Ireland data centers will be operational in the near future. LogMeOnce business users can store their data in EU data center. All user data is transferred and stored within US data centers until EU data center is operational.
The following criteria are used to determine data retention periods for your personal data:
- We will retain your personal data as long as your LogMeOnce account is accessible.
- Some of the technical and personal data will still be available for audit and regulatory purpose.
How LogMeOnce helps to meet GDPR compliance to increase your security
With millions website available for users and the type of data collected by each it is challenging to manage access to these sites. It is important to have security controls in place for a secure and strong access management and single solution. While GDPR compliance presents a lot of challenges for an organization, LogMeOnce Password manager and Identity and access management solution can build a strong foundation for GDPR compliance and can help reduce your risk.
LogMeOnce solution can consolidate your access to website for consumers and manage your users and business’s identities to provide a better visibility into your users, their applications and access. This will help in identifying your personal data
LogMeOnce users can take advantage of these extensive security and compliance functionalities:
Consent
LogMeOnce allows Data Controllers to manage and track their user consent in a clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.
Breach Notification
Under the GDPR, breach notification is mandatory and must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Right to Access
Data subjects has the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data.
As a Data Subject, you can access, export or delete your data you may also contact LogMeOnce support at support@LogMeOnce.com for additional request. As a Business user, you may contact your Business Administrator (Data Controller) to respond to your data access request you may also contact LogMeOnce support at support@LogMeOnce.com for additional request.
Right to be Forgotten
Data subject has the right to have the data controller erase his/her personal data, cease further dissemination of the data.
LogMeOnce provides account deletion capability and you may also contact LogMeOnce support at support@LogMeOnce.com for additional request.
To delete your account, login to your LogMeOnceaccount and go to Smart Menu->Profile and you will see a delete button to delete your data.
Data Portability
GDPR introduces data portability – the right for a data subject t o receive the personal data concerning them in a ‘commonly use and machine readable format’.
LogMeOnce provides ability to export user account information and you may also contact LogMeOnce support at support@LogMeOnce.com for additional request.
To export your account, login to your LogMeOnce account and go to LogMeOnce browser extension menu and click on Export to > you can select appropriate extort options to export your data.
Privacy by Design
LogMeOncehas been architected based on privacy by design and security in mind. As a “zero-knowledge” technology company, LogMeOnce does not know a user’s encryption key or actual passwords. You are the only one who has absolute knowledge of your actual password and encryption key — only you can decrypt your account. Other benefits of the LogMeOnce Zero-Knowledge Technology:
- User Exclusive Access Rights
- Browser Exclusive Password Access
- Device Exclusive Access Rights
Encryption happens on user device based on AES-256 bit encryption with PBKDF2 SHA-256, extensive security controls are in place to ensure account security. The user information is available only to the user with valid access.
Currently LogMeOnce operates data centers in multiple regions throughout the United States. Data is encrypted at rest and during transition.LogMeOnce additional capabilities in support of GDPR listed below:
- User and Group Management – Ability to manage (Add, Edit, Delete) users and create groups and assign users and applications to users and groups.
- Password Policies – Define extensive password policies for organization.
- PasswordLess PhotoLogin – PasswordLess authentication uses Public and Private key pair with Private key securely protected on users vault on mobile device to provide flexible and strong authentication.
- LogMeOnce Mugshot – Mugshot is a policy based powerful security feature that can be enabled or disabled based on your organization’s requirements.Snap your intruder’s photo, IP address, GPS location, date & time stamp, and more.
- Comprehensive Two-Factor Authentication – It adds more security layers to protect your business and increase security with Two-Factor Authentication. LogMeOnce provides the richest selection of 2FA methods and protects your credentials with two layers of defense.
- Password Dialer © and Generator – Creates secure passwords with strong password strength.
- Automatic Password Changer – Automatically change passwords for your sites.
- Password Scorecard – LogMeOnce Security Scorecard tracks the password’s success factors in four ways: it’s essence, strength, daily usage and access activities. Additionally, the report tells you exactly why your master password is (or isn’t) strong.
- Kill-Pill – Send a Kill-Pill, and you can instantly wipe off any LogMeOnce data stored on it. Access to the LogMeOnce account on the remote device will be denied.
- Audit & Compliance – With a single click, quickly get real-time charts, graphs, reports.
- Adaptive MFA Authentication – LogMeOnce Adaptive Multi Factor Authentication (MFA) is a comprehensive, risk-based engine that enables IT administrators to define security policies on how to handle internal, external or partner connection requests. Policies are based on risk profiles and can trigger the need for additional authentication or provision a limited set of applications.
- Risk-based Authentication – LogMeOnce risk-based authentication ensured confidence in which connections get to your network. LogMeOnce validates all connections based on geo location, IP address, time of the day and other internal risk-based rules.
- Anti-Theft – LogMeOnce offers a full set of anti-theft features: