On May 25, 2018, the GDPR takes effect to heighten standards for personal privacy.
According to the new EU law, organizations who store Personally Identifiable Information (PII) of European citizens must meet new requirements for the protection of personal data. The law also sets enhanced requirements for transparency on how personal data is collected, retained, and used.
Essent is deeply experienced in protecting personal data and we’ve incorporated GDPR into our framework for protecting the personal data not just of European citizens, but of everyone who uses Essent products and services.
We are committed to keeping private data private.
Personally Identifiable Information (PII) is information that can be used to identify an individual, whether the information is used alone or combined with other information (e.g. SSNs, name, DOB, home address, home email).
A single piece of information can reveal an individual identity, but it’s more likely that a combination of information reveals an identity. Even information as sensitive as payment card data may not fully identity an individual, or may not be useful, without being linked to some other personal data like a full name or a citizenship identifier like a Social Security Number or a National Insurance Number.
Information that is not PII can become PII if new information becomes available. For example, a common last name like Smith refers to tens of thousands of people and is unlikely to identify an individual. Combined with a new information like a first name and an address, however, the information now can reasonably be used to identify an individual.
Therefore, the concern of personal data protection is to protect not just any single type of information, but a wide variety of information that may combine with other information to identify an individual.
It’s a comprehensive effort to protect all types of information, an all-encompassing effort that includes policies, training, controls, monitoring, notifications, and more, as well as the vigilant practice and implementation of them.
Essent has long advocated and implemented comprehensive security features for large sets of data, and applauds the goals of GDPR to standardize such comprehensive protection.
The GDPR calls on organizations to implement appropriate security measures to protect personal data, and many are measures that Essent has implemented for years.
Essent Cloud and Hosting Services are designed to provide security, including secure collection, storage, and processing of personal data.
Essent software subscription services are hosted by Essent at one or more facilities and accessed remotely via the Internet. Essent hosting services are designed to be extremely reliable and employ state-of-the-art information technology patterns and practices. Specifically:
Some features of Essent facilities specific to the protection of private data, including Personally Identifiable Information and payment card information, include:
Essent employs 24x7x365 network monitoring to guard against threats and vulnerabilities to sensitive data, including Personally Identifiable Information.
Essent performs monitoring using both commercially available network monitoring tools, as well as proprietary network monitoring tools. This includes the Essent NetSet network monitoring service and firewall, which was designed and developed by Essent.
Users and Systems are tested annually to determine their incident response capability and incident response effectiveness. Essent meets annually for a tabletop exercise, designed to test the breach response procedure and to help ensure members of the Response Team are familiar with the plan and understand their specific roles.
Essent protects the information entrusted to it. Security and privacy training must be completed prior to obtaining access to information and annually to ensure individuals are up-to-date on the proper handling of PII. Security and Privacy Awareness training is provided by Essent. Failure to complete required training will result in denial of access to information.
Essent software includes integrated security management based on access control and encryption, including:
Access is controlled through user accounts with assigned passwords and permissions.
The permissions define who has access to which portions of the system and therefore who has access to which information, including PII. For example, a manager or administrator might have access to many modules and information sets while sales representatives might have access only to modules and information needed to perform their role.
Essent employees likewise are provided access only to the modules and information needed to perform their roles, and not more. This limits the exposure of the data so that it’s much less likely that information is made available in personally identifiable or risky combinations.
The Essent Business Management System supports advanced security protocols including Virtual Private Networks (VPN) and NSA (United States National Security Agency) C2-Level Encryption Algorithms.
The Essent SiteBuilder web content management system enables Hyper Text Transfer Protocol Secure (HTTPS) via a Secure Socket Layers (SSL) Certificate, which provides an encrypted link between a web server and web browser.
In other words, information that is at rest or in transit between a SiteBuilder website and a person viewing it is protected with encryption, as is information that is at rest or in transit from the Essent Business Management System to a SiteBuilder website.
This includes customer and user information, including payment card information and Personally Identifiable Information.
Essent supports the goals of the General Data Protection Regulation and has incorporated GDPR into our framework for data protection.
We are deeply experienced in protecting sensitive data, including personal data, and long have implemented many of the standards that the GDPR calls for.
We employ a comprehensive approach to protecting Personally Identifiable Information, as well as other sensitive and even not-so-sensitive information. The approach guards against the breach of information that can reveal an individual’s identity, and just as importantly information that can reveal an individual identity when combined with other information.
In practice, however, Essent has long implemented measures called for in the GDPR. Infrastructure, monitoring, testing, training, access control, and encryption are well positioned to accommodate the requirements of GDPR, which we wholeheartedly endorse.
Essent is the leading provider of fully-integrated business management software solutions and services for process-intensive industries and the largest trading network for the promotional products industry. The Essent family of fully-integrated products and services combines best practices, business processes, software automation, and network communications to deliver unparalleled, unified business management solutions. Since 1980, Essent has offered the systems, service, software, and support critical to success in today's highly-competitive marketplace.