Processing data is an important part of many of CM’s products. Millions of records are transferred through the CM platform every day, as we offer solutions for communication, online identification and payments. We take handling, processing, and retaining your data in a secure manner very seriously. For us, for you, and for your customers.
On May 25th 2018, the General Data Protection Regulation (GDPR) will come into effect, replacing current privacy regulations. By then, all companies handling personal data will need to adhere to the regulation and be able to demonstrate their compliance to the GDPR. In addition to the GDPR, a new ePrivacy Regulation will replace the existing directive (expected mid-2018 – more information will follow shortly).
On this page, we will explain which actions CM takes to be and remain compliant with privacy and data protection legislation and what efforts we’ve taken and will continue to take to accommodate your compliance when using our platform. This website will be continuously updated in the coming months.
CM Complies with the GDPR
As a responsible processor, a responsible controller, and as data subjects ourselves, CM has embraced the principles that lie at the base of the GDPR. Moreover, we regularly revisit them to assure our compliance. At this point, we have all necessary tools in place to conform to the principle of accountability. Some examples are: a data controller register, data processor registers, and our specific CM-Data Privacy Impact Assessment (DPIA). We offer data privacy training, in general to all employees, and specifically to developers. In addition, we’ve set up a GDPR compliance roadmap and took corrective actions where necessary. We will provide you more detail on CM's GDPR compliancy here below.
In order to be in line with the purpose and the pertaining lawful requirements, we’ve sharpened our company-wide and product-specific retention periods. The guiding principle is: if we don’t need it, we’ll pseudonymize our data via automated and scheduled scripts. This way, we assure the data records no longer constitute personal data without losing valuable information to improve our services and products.
Access to databases is restricted to those employees with a need-to-know, need-to-edit, and need-to-execute basis. This holds true for all databases within CM. Access to databases that contain sensitive data, have an even higher level of control. Access will only be granted after signed approval from the CEO, MD, or CTO. This approval needs to be filed with the system administrators. All (access) movements are logged. Furthermore, access control and the access list review are included in the yearly audit cycles.
Data Privacy by Design and Data Privacy by Default
Data privacy training is provided by the CM Academy. On a yearly basis, all CM employees are trained on the topic of privacy. For our developers, we offer training on the principles ‘Privacy by Design’ and ‘Privacy by Default’. In this training, they are taught the meaning of these principles and which measures they can take to support successful implementation of these principles in new products.
Continuous compliancy efforts
In 2016 CM initiated a new compliance roadmap, of which data privacy and data security are an important part. Proving our continued commitment to security to our customers and partners is a key priority and the ISO27001 certificate that we have been granted that same year is a great confirmation of these efforts.
The GDPR-compliance project is part of our compliance roadmap. The project towards GDPR compliancy started out with a data inventory exercise in which we looked at all processes that CM handles that process personal data. We thoroughly reviewed the access, data minimization opportunities, and the retention terms applicable to the specific products and industries. Where necessary, we took corrective action. All processes were documented and reflected in flow diagrams that served as input into the process registers.
We stay compliant by regularly reviewing existing processes, training, security reviews and tests, performing the CM-DPIA on new products, enhancing our privacy protection landscape with new tools and educating ourselves and our customers.
CM is a responsible partner and holds data privacy in high regard. You can be certain to use our products with the confidence that they comply with the GDPR. Our newly developed products adhere to the principles of privacy by design and privacy by default to further assure GDPR compliance. New products will undergo the CM-DPIA and will need to meet a certain quality to be considered safe. The CM-DPIA needs to be signed off by the CTO. The data of EU end users are stored within the EU. We do our part and are compliant so that you will be compliant if you use any of our products.
Let’s look at an example on how we apply this in practice. Traditionally the Know Your Customer (KYC) onboarding process for Financial Institutions is a complex process, handling very sensitive data (financial + passports, etc.), with various e-mails and requests going back and forth. CM has developed an app (forthcoming) which structures this process, only asks for the minimal required (personal) data, and requests this data via secured applications and transmits the data via encrypted channels.
This newly developed Know Your Customer (KYC) app has been designed with privacy in mind. The DPIA clearly showed that risks were mitigated and security was in line with ISO27001 – standards. We ask only the legal minimum of required data of the people involved and the data that we need, we handle with care: for example, when the passports needs to be uploaded, the picture is not saved in-app, the social security number (BSN – Not needed) must be blacked out with an in-app tool, and the image is watermarked, clearly stating time, date, and purpose.
Supporting your compliance
Besides being compliant ourselves and offering GDPR-compliant products, we go the extra mile to support your compliance. We propose secure connections for transferring data between you and CM, and we advise you on how to securely make use of them. Finally, we cater for the Data Subject Rights: we are transparent and can accommodate the various data subject rights, which are extensively expanded with the GDPR. Examples of these adjusted rights are: the right to rectification, right to be erasure, right to restriction of processing and the right to object. We support our customers if they receive requests from end users wanting to exercise their rights.