General Data Protection Regulation (GDPR) is a set of directives for the European Union (EU) which enhances the protection of personal data of EU citizens. It requires companies to comply with new rules that strengthen the data privacy and security of every individual within the EU. These rules are strict and include many provisions which increases the rights of data subjects. It also contains harsher penalties for violations. GDPR goes into effect on May 25th, 2018.
As we approach the implementation of GDPR, IDMERIT is focused on GDPR compliance efforts. We understand that with these laws many changes have taken place to how companies can interact with EU citizens. Because of this, we are doing our due diligence and doing everything we can to handle customer data from the EU in compliance with GDPR. Below we have outlined main areas of interest concerning GDPR and how IDMERIT is proceeding to be fully compliant with applicable law by the May 25th deadline:
Under Article 6 of GDPR, processing of personal data can only occur if an individual has given clear consent for you to process that data. Consent must be given in an informed and unambiguous way and with clear and plain legal language. After this consent is given an individual’s personal data can be stored and used for a variety of different purposes, including identity verification. Because of these changes, senior members of the IDEMRIT team have worked diligently to renegotiate contracts with our data providers from the EU. With these new contracts in place, we feel confident that the personal data being provided for our services has been obtained with consent and is compliant with GDPR.
The GDPR states that transferring personal data outside of the EU in response to a legal requirement from third country is no longer legal. At IDMERIT, this has never been our approach with identity verification.
Here’s an example of our process:
- A company in the United States needs to validate the identity of Person A from The Netherlands
- This company puts in a validation request using the information they have about Person A with IDMERIT
- Using our API, we connect with data sources from The Netherlands and confirm the identity of Person A
- Within seconds of placing their request, the US company receives confirmation of Person A’s identity
Our identity verification system uses a secure API to connect with data sources within various countries and accomplish this goal. It does not take the data connected to with the API and transfer it outside of the country. Instead, the result of the test, validation or not, is transferred back to the origin of the validation request. This process happens within an instant, ensures that personal data from EU countries is not being transferred across country borders and that the data remains safe.
Under GDPR, processing of personal data is allowed if it is done for a legitimate purpose. Maintaining KYC and AML compliance helps prevent fraud and is seen as a legitimate purpose under these new laws. IDMERIT prides itself in providing solutions for KYC and AML compliance. Our solutions help quickly and easily identify high-risk applicants and then manage them in the appropriate manner. Our databases provide information that helps indicate potential problems pertaining to money laundering, fraud and possibly misdirection of funds to finance terrorism as well.
GDPR compliance becomes mandatory for all companies interacting with EU citizens on May 25, 2018. At IDMERIT, we are being proactive in ensuring that we are compliant before the regulations go into place. We have done this by confirming that the personal data we use for verification has been obtained with consent and keep that data within its country of origin. Furthermore, we determine if process requests are done for legitimate purposes, such as maintaining KYC and AML compliance. As GDPR goes into effect we will oversee how it affects industries across the world and refine our approach to compliance as needed.