2. When the European Union
announced its intention to expand
regulations of its existing data
privacy laws over 2 years ago,
U.S. businesses focused on what
would be their burden of
compliance and how it would
impact their level of liability. At
the time, the GDPR (General
Data Protection Regulation) was
an unprecedented enforcement
expansion by a major global
economy government on
businesses outside their borders.
Experts and consultants pored
through the several hundred pages of
regulations and articles and came to a
core consensus that any entity that
handles the personal data of EU
nationals and individuals would be
impacted even if they’re physically
and legally outside the EU. At the
beginning, the focus was mostly on
how the EU authorities would view
GDPR and data privacy compliance.
Flash forward to now and the questions U.S. businesses are now asking
themselves are not just what the EU authority expects but their
customers. Equifax and Facebook’s recent missteps in handling personal
data have made average users painfully aware of how vulnerable their
personal information is to misuse and exploitation.
2GDPR goes into
effect on May
25. “Are you
prepared? Are
you GDPR-
compliant? Are
you ready?”
3. Whether GDPR directly and legally
applies to your specific business or
legal practice may come down to the
finer details of the GDRP
regulations. How large is the personal
data you’re handling? What type of
personal data and how private is
it? And to what purpose is the personal
data used?
3
4. 4 If you’re an INSZoom customer, it’s
likely you’re using your client’s personal
data towards a mutual agreed purpose
related to immigration, global mobility
or travel. These types of data
transactions don’t seem to be of critical
concern for the EU authority and their
GDPR because of the specifics,
narrowness in scope, transparency and
consent of use regarding the data
transaction.
5. Though the collected personal information is
private, sensitive and non-public (e.g. racial or
ethnic origins, financial, legal, etc.), it is not
used towards the behavior monitoring or
massive data analytics which have been the
subject of such public scrutiny, criticism and
lawsuits.
5
6. Given the current state of privacy
awareness we enter, it should not come
as a surprise that many of our
customers are using the May 25th
deadline not only as a GDPR
compliance date but also as a blanket
data privacy readiness for all its users
instead of just EU users.
6
7. It would not be the first time that a new regulation has impact
outside its original objective. It’s probable that we are entering
a new normal and level of expectation baseline in what is
required for data security and privacy.
7
8. Regardless of the size of your
GDPR footprint, INSZoom is well
positioned to provide the
technology, structure and support
needed. We’ve been following
‘Privacy By Design’ practice since
the beginning in 1999. INSZoom
possesses ISO/IEC 27001
certification and all data collected is
formatted in a 256 bit Encrypted
SQL Database. Technology
experts have found that data
security best practice under the
ISO 27001 framework meets much
of what GDPR requires under its
article including “technology and
security measures” such as:
▸ ISO 27001 mandates the
listing of all relevant statutory,
legislative, contractual, and
regulatory requirements.
▸ Risk assessment requirements
of the ISO 27001 mandates
the implementation of a Data
Protection Impact Assessment
and undertaking an evaluation
of privacy risks.
8
9. ▸ Asset management
requisites of the
ISO 27001 include
personal data as a
valuable information
security asset which
must define which
personal data are
involved in your
operations, its
origins, where to
store it, for how
long, and who will
have access to
these including any
applicable supplier
and storage
relationships.
▸ ISO 27001 dictates
systems
acquisitions,
development, and
maintenance, which
requires data
security as an
integral component
of information
systems throughout
its lifecycle.
▸ Breach notification
strictures under the
ISO 27001 entail an
efficient and
consistent method
to deal with data
security to notify
authorities within 72
hours after the
discovery of a
personal data
breach.
9
10. ▸ISO 27001 uses risk
assessments to identify
the necessary controls
regarding risk
management, data
protection impact
assessments, and
mitigation to the risks
regarding rights and
freedoms of data subjects.
10
11. 11 Given In addition, INSZoom application
has committed itself to respecting and
promoting the data rights the GDPR has
outlined for all our customers by affirming
the following:
12. ▸ No controller or
data subject
personal data is
subject to cross
border data flows
outside the U.S.
especially in the
EU. All data is
stored at our hosted
servers with
Amazon Web
Services in North
America (U.S. for
our U.S. clients and
Canada for
Canadian clients)
which has military
level security.
▸ No controller or
data subject
personal data is
shared with any
unauthorized third
party including
contractors or
outside entities
such as credit,
consumer or
marketing entities.
▸ INSZoom will
process our
customer’s data for
the sole purpose of
providing the
services according
to their instructions
and hosting and
service agreements
▸ INSZoom will
implement and
maintain technical
and organizational
measures to ensure
a level of security
appropriate to the
risk as set out by
the GDPR and
related regulations
12
13. ▸ INSZoom will inform
our customers
without undue delay
of requests from
their Data Subjects
exercising their
Data Subject rights
addressed directly
to INSZoom
regarding our
customer’s personal
data
▸ INSZoom will
maintain and
commit themselves
to our customer’s
confidentiality and
not process such
personal data for
any other purposes,
except on
instructions or
unless required by
applicable law.
▸ INSZoom will make
every good faith
effort to assist and
cooperate with our
customer’s
reasonable
requests for GDPR
related assistance
regarding
Information, Audit,
Return/Deletion,
Processing,
Assistance and
Records requests.
13
14. 14 We’re proud to declare that all our
subscription plans meet the GDPR
readiness outlined above in addition to
the tools and features below which
provide additional support to meet your
customer’s GDPR expectations:
15. ▸ E-Consent Module
allows you to
capture and store a
clear and
authorized consent
from the user to use
their data towards
the agreed
immigration or
mobility action.
▸ Adhoc Reports to
track your data user
population based on
what information
and audits you need
to collect and
maintain
▸ HR and Global
Vendor Portals to
better work with
your business
partners who
directly oversee
their employees –
the impacted data
users
▸ FN Portals to allow
the data user to
exercise their ability
to handle their own
data per their needs
for GDPR and
beyond
▸ Multifactor
Authentication for
additional security
and technology
measures
▸ Knowledge Base.
Alerts and
Compliance
Management for
custom
configurations to
better organize and
maintain your client
data users
15
16. 16 INSZoom as a SaaS solution has
always stayed ahead and adapted to
industry changes. We are committed to
provide the best solutions by listening
to our customers, innovating and
adapting to the ever-changing
immigration industry.