GDPR statement for Smart ID Certificate Manager
Nexus sees the EU's general data protection regulation (GDPR) as an important step forward in streamlining and unifying data protection requirements across the EU. We also see it as a great opportunity for us to strengthen our clear commitment to data protection principles and practices. It is as well fully in line with our recent ISO 27001 certification in Sweden.
Nexus strives to make it as easy as possible for our customers to comply with the requirements of GDPR, which was introduced on May 25, 2018. Therefore, a number of new features are included in the latest and upcoming versions of Smart ID Certificate Manager. We will also continuously review the functionality of Smart ID Certificate Manager in terms of GDPR.
Implemented functionality
The following functionality is implemented in Smart ID Certificate Manager 7.17 and later, to help you to be compliant with GDPR:
Traceability
Smart ID Certificate Manager does a minimal logging of user related information in operational logs during normal operation. In error situations more detailed logging may take place depending on the configured logging level. By reducing the logging level, sensitive information can be avoided in the operational logs. By rotating the logs, sensitive information can be overwritten after a limited time, still enabling administrators to investigate the error situation before the log is overwritten or deleted.
Availability
Smart ID Certificate Manager provides search functionality for use by authorized administrators to collect data stored for individual users and provide reports to users who request information about stored personal data. Access to Smart ID Certificate Manager and personal data is protected by smart card based PKI authentication with role-based authorization that ensure strict control on the access to the data.
Correction
A request for correction of data can be managed. Personal information is received in certificate requests, and a correction of personal information in a certificate implies that incorrect certificates must be revoked and optionally also deleted. New certificates with correct data can be created by submitting certificate requests containing the correct information.
Security
Access to Smart ID Certificate Manager and any personal data is protected by PKI authentication with role-based authorization over a TLS connection.
For optional encryption of database content may any SQL server-provided functionality that enables transparent data encryption be used. The database server must handle encryption and decryption transparently for the application.
Removal
Smart ID Certificate Manager has functionality for removal of user-related data and certificates from the CM database. A control mechanism ensures that certificates are revoked before user data can be removed from the CM database. CA policies may require that certificates are kept in the CA database until the certificate has expired, even if the certificate has been revoked before the date of expiry. The CM functionality for deleting certificates enables the CA organisation to manage its own specific CA policies via custom handling.
Audit log information that is related to the issuance phase of a certificate is possible to remove at the same time as the certificate is deleted. User data and certificates that has been stored in external X.500 directories at the time of certificate creation can be removed by help of a CM publication procedure.
Important notice
A major part of GDPR is about internal routines. Organizations are responsible for personal data, regardless of whether it is a HR system, CRM system, security system, PACS system, real estate system or other. Each organization must ensure that staff handle personal data properly. This includes, among other things, having a legal basis for processing personal data, keeping track of the personal data being processed and the context in which to handle only the information necessary for the purpose expressed, deleting data when no longer required, and to inform and, where necessary, obtain consent from registered persons.
Please also observe that the GDPR acknowledges that data protection rights are not absolute and must be balanced proportionately with other rights – including the “freedom to conduct a business”. For more information on the ability of EU member states to introduce exemptions, see the section on derogations and special conditions.
As a regulation, the GDPR will be directly effective in EU member states without the need for implementing legislation. However, on numerous occasions, the GDPR does allow member states to legislate on data protection matters. This includes occasions where the processing of personal data is required to comply with a legal obligation, relates to a public interest task or is carried out by a body with official authority. Numerous articles also state that their provisions may be further specified or restricted by member state law. Processing of employee data is another significant area where member states may take divergent approaches. Organizations working in sectors where special rules often apply, for example health and financial services, should: (1) consider if they would benefit from such special rules, which would particularize or liberalize the GDPR; and (2) advocate these accordingly. They should also watch for member states seeking to introduce special rules, which may prove restrictive or inconsistent across member states.