The right to privacy is included as a fundamental right in the EU Charter.
The GDPR’s sanctions-based regime was created to protect that right, and TeleSign firmly believes that full compliance with the GDPR benefits all global citizens, especially our customers.
The GDPR, as a legal framework for data processing and free movement of personal data in the EU (with allowances for data transfers outside the EU), will promote accountability and establish trust in the digital economy. At TeleSign, we believe that your trust in our conduct as a responsible corporate citizen is fundamental to the success of our business.
TeleSign is owned by BICS (a subsidiary of Proximus Group) which is headquartered in Brussels, Belgium – the beating heart of the European Union and the location of all her major institutions. That proximity to the epicenter of privacy rights, which will be enshrined by the GDPR, shines a spotlight on TeleSign’s role as a caretaker of privacy rights of all individuals, not just ones based in the EU. In short, privacy and the GDPR are in our DNA – there is no patch or fix for compliance, it has to be (and will be) embedded in everything that we do in service to our customers.
The personal data that TeleSign holds on behalf of our customers belongs to the individuals themselves. The personal data is theirs, not ours. Those individuals have the right to control how their personal data is processed.
In the delivery of our products and services, we can and do only use this personal data for approved purposes. The owners of the data have given us permission (consent) to use their data for purposes that have been transparently disclosed to them. In short, the individual is giving us a restricted license to use his/her personal data.
TeleSign will not abuse that restricted license, or in any way compromise the trust given to us by our customers. We understand we have earned this trust by how we handle your personal data, and we will steadfastly maintain it by complying with the GDPR.
The full, global TeleSign team has been engaged to ensure that all elements of the GDPR are adhered to. Here are 10 of the top things we’re doing to comply.
1. MANAGEMENT SUPPORT
We are now (and have been since October 31, 2017) owned by BICS (a subsidiary of Proximus Group), which is based within the EU in Brussels, Belgium. All members of senior management from Proximus to BICS and TeleSign are fully supportive of our efforts towards complete GDPR compliance by May 25, 2018. TeleSign firmly believes that the privacy and security of personal data is fundamental to our business operations. Data protection is taken very seriously by all TeleSign employees.
2. GDPR COMPLIANCE PHASED EXECUTION
We have laid out a 6-phase compliance roadmap that will get us to GDPR compliance by the May 25th deadline: (1) Training/Awareness for the entire company; (2) Data Mapping; (3) Gap Analysis; (4) Data Protection Impact Assessments (DPIA); (5) Implementation (our current phase); and (6) Steady State (aka long-term compliance post deadline).
This is a big one for us. Privacy cannot exist without security, which is why we are committed to protecting personal data through the use of appropriate security measures. We keep detailed records of all processing of personal data that occurs so we can ensure adequate security throughout the data protection lifecycle. We have established a Privacy Office (PO) (see #10 below) to ensure continuous and long-term compliance with the GDPR. The PO, led by our Data Protection Officer (DPO), will ensure that we embed Privacy By Design / Default into all our products and business practices and conduct DPIAs for the higher risk products that we develop. Privacy (and security) risk will be taken into account throughout the data processing lifecycle. We will hold ourselves accountable for the protection of personal data from start (collection) till the very end (deletion).
4. BREACH NOTIFICATION
We are committed to doing everything we can to stop a breach from ever happening within our systems, but in the event one were to occur, we will notify the relevant Data Controllers and/or supervisory authorities within 72 hours of a data breach. Since we are based in California, we are already in compliance with the state’s Data Breach Notification law.
5. CONSENT & CONTRACTS
We will ensure that we have the requisite consent from Data Subjects and the relevant contracts with Data Controllers in place before processing the personal data of individuals. Our commitment to all customers is to only process personal data lawfully and legitimately. If we are thinking about changing the way we process personal data, our customers will be notified prior to any changes. It is our belief that consent must always be freely given, specific, informed and unambiguous.
6. DATA TRANSFERS
We are ensuring that our new GDPR-updated Data Processing Addendum (DPA) is in place with all existing customers (defining us as a Data Processor) and suppliers/vendors (where we are defined as a Data Controller). This ensures that we commit to the GDPR obligations of all controllers and flow down those obligations to all subprocessors, including the all-important data protection adequacy for international data transfers. (Note: TeleSign operates out of the US, the EU and Serbia.)
7. DATA SUBJECT RIGHTS
For most of our users, they should be contacting their Data Controllers directly to exercise their DSRs. As a Data Processor, we are committed to facilitating the Data Subject Rights (DSRs) on behalf of the Data Controllers, including: the Right to be Informed/Transparency (via our Privacy Notice), the Right to Access, the Right to Rectification, the Right to Erasure, the Right to Restriction of Processing, the Right to Data Portability, the Right to Object (including Profiling), and the Right to Withdraw Consent. (If you are a Data Controller, please reach out to your Technical Account Manager for additional details.)
If there were a central pillar for our commitment to the privacy of all customers, this would be it: There can be no trust without transparency, and we can only be successful if we earn and maintain your trust. To that end we promise to disclose in our Privacy Notice:
- WHO we are (as Data Controller/Processor)
- WHAT types of personal data we have for individuals, the Data Subjects
- WHY we are processing personal data, including the legalities of it
- WHERE we got personal data from and where we are sending it, particularly if it is to a third-party or country
- WHEN we will delete this personal data, and why we need to retain it until that time
- WHICH other rights all individuals have (see #7 DSRs), including the right to complaint with a supervisory authority
- The LOGIC and CONSEQUENCE of any of our automated decision-making (profiling) products
9. ENHANCEMENT OF PRIVACY THROUGH OUR PRODUCTS
Our SMS (two-factor authentication) product strengthens privacy rights of individuals by providing universal verification of identity using mobile phone numbers, thus ensuring that an individual’s identity is verified before the legitimate processing of personal data can occur. All our products operate on consent and contracts, and are fully GDPR compliant, including new products that follow the principles of Privacy by Design / Default. (If you are a Data Controller and need an identity verification method for DSRs – see #7 above – please reach out to our Sales team to ask about our SMS 2FA solution.)
10. PRIVACY OFFICE @ TELESIGN
Last but not least, TeleSign’s GDPR compliance efforts are led by our Privacy Office (PO), which is comprised of IAPP-certified members of the Legal, Privacy and Security teams, and complemented by IAPP-certified employees in the Sales and Engineering teams. They are available to answer any questions regarding privacy and the GDPR at PrivacyOffice@telesign.com.