GDPR compliance

​Akamai​ is focused on data protection and privacy, including compliance with the European Union General Data Protection Regulation (GDPR). As such, the ​Akamai​ Identity Cloud has implemented a privacy program and best practices to help maintain compliance with its contractual commitments and applicable privacy laws. 

The Identity Cloud privacy practices are reviewed annually by TrustArc (TRUSTe®) and annually audited by an independent auditor as part of the Identity Cloud's SOC2 Type II audit for all five Trust Principles. The first table below lists key GDPR article requirements for data processors and addresses how ​Akamai​ meets them. The second table lists key data subject rights and addresses how Identity Cloud services help clients satisfy them. For further discussion of how ​Akamai​ treats personal data, please see the Identity Cloud Privacy Policy.

Meet key GDPR requirements for processors

Article 28 (1)

Processors must implement appropriate technical and organizational measures so processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
​Akamai​ and its underlying data hosting services provider, Amazon Web Services (AWS), have implemented appropriate technical and organizational safeguards to protect the personal data that the Identity Cloud processes for its Clients against accidental or unlawful destruction or loss, alteration, and unauthorized disclosure.

These safeguards, which include scoped access, encryption of data in transit and at rest, data backup, and a tested BCDR plan, are audited by accredited, independent third parties on a regular basis. Our information security management system has been certified as compliant with ISO 27001 and 27018 standards and our processing system has been determined by a Service Organization Controls (SOC) 2 Type II audit to be compliant with the Security, Availability, Data Integrity, Confidentiality, and Privacy Trust Principles and related criteria established by the AICPA.

​Akamai​ practices privacy by design so it can consider and address privacy concerns at an early stage of product development.
Article 25

Data Protection by Design and Default
​Akamai​ assists its Clients in meeting the data protection by design and default requirements by taking a proactive approach in making sure appropriate levels of data protection are applied at the Identity Cloud product development stage and in our data processing. ​Akamai​ offers the creation of segments and the means to create anonymous data sets.
Article 28(2),(4)

Processors may only appoint sub-processors with the permission of the controller and must require permitted sub-contractors to implement appropriate measures to meet the GPDR.
Our sub-processor, AWS, is identified in our service agreements with our Clients. ​Akamai​ will not contract with any sub-processor of personal data without permission of the Client. ​Akamai​'s contracts with its sub-processors require that they have implemented appropriate technical and organizational measures to meet GDPR requirements.
Article 28(3)

Processors agreements with controllers must specify certain processor restrictions and obligations supporting GDPR compliance, including that the personal data they process are kept confidential.
​Akamai​ has entered into Data Protection Agreements or similar amendments with its Clients as needed to provide that ​Akamai​ will:

* Only act on the Client's instructions as documented in the service agreement;

* Impose confidentiality obligations on all personnel who process the relevant data;

* Ensure the security of the personal data that it processes;

* Only act on the Client's instructions as documented in the service agreement;
* Impose confidentiality obligations on all personnel who process the relevant data;

* Ensure the security of the personal data that it processes;

* Abide by the rules regarding appointment of sub-processors;

* Implement measures to assist the Client in complying with the rights of data subjects;

* Assist the Client in obtaining DPA approval where required;

* At the Client's election, either return or destroy the personal data at the end of the relationship (except as required by EU or Member State law);

* Provide the Client with information necessary to demonstrate GDPR compliance and permit audits.

All Identity Cloud employees and any third party authorized to process data, such as AWS, are under appropriate contractual obligations of confidentiality. ​Akamai​ trains all new employees about their confidentiality, privacy and information security obligations as part of their new employee training and provides regular trainings thereafter.
Article 29

Process only under controller instructions.
​Akamai​ service agreements with its clients and permitted sub-processors reflect this requirement.
Article 30(2)

Maintain record of processing activities as required.
​Akamai​ maintains for each Client in scope a record that provides relevant contact information and identifies, among other things, the country and region where the data is hosted, the categories of processing carried out for the Client, the customer data fields hosted for the Client, required information regarding any transfers to a third country or international organization, and a general description of its technical and organizational security measures.
Article 32

Implement security safeguards appropriate to the risk.
As stated above with regard to Article 28 requirements, ​Akamai​ has implemented appropriate safeguards to protect the personal data it processes and the privacy of the affected data subjects, including the safeguards specifically noted in Article 32, such as encryption of personal data in transit and at rest.
Article 33

Notification of data breach without undue delay.
​Akamai​ systems monitoring controls assist in detecting a data breach. ​Akamai​ has implemented an Information Security Event Management Policy and procedures and a related Communication Policy to support our notification without undue delay to Clients of any breach. These policies and procedures are part of our ISO 27001:2013 - certified Information Security Management System.
Articles 45, 46

Restrictions on cross-border transfers
Clients may choose to have their customer data hosted in any region where ​Akamai​ offers hosting through AWS. To address client concerns regarding any transfer of personal data from the EU to the United States, ​Akamai​ has certified its adherence to the E.U.-U.S. Privacy Shield framework. ​Akamai​ will enter into the EU Standard Contractual Clauses with a Client where deemed appropriate. ​Akamai​ has entered into the EU’s Standard Contractual Clauses for processors with AWS.

Enable Identity Cloud client GDPR compliance

Articles 4(11), 6(1)

Controller must demonstrate that informed consent has been affirmatively provided by data subject for each distinct purpose of processing.
Our platform enables personal data to be shared knowingly by Client customers from the social platforms of their choice or entered by the customer on a granular basis with notice to, and the affirmative (checkbox) consent of, the Client customers via permission screens. This functionality enables our Clients to explain to their customers the purpose or purposes for processing in the registration workflow.

Email opt-out/opt-in options are configurable as part of Identity Cloud registration flows. ​Akamai​ maintains an audit trail evidencing consent and detailing changes to customer personal data records. In addition, ​Akamai​ provides the ability for Client to receive real time notification of customer personal data record changes and deletions.
Article 7(3)

Data subject has right to withdraw consent as easily as consent was given.
​Akamai​ can provide a consent withdrawal mechanism as part of its registration and consent flows.
Article 8

Parental consent is required for processing of personal data of children under 16 (or younger pursuant to Member State law).
​Akamai​ has age gating functionality to protect against knowing acceptance of personal data from children under the age determined by Client and to inform the child that parental consent is needed.
Articles 15, 20

Data subject has rights of access to copy of the personal data undergoing processing and to data portability.
Client can obtain a copy of a data subject’s personal data record via the Identity Cloud Customer Care Portal or an entity API call.
Articles 5(1)(d),16

Data subject has right to rectify inaccurate data.
Data subject changes to social identity shared with Client are automatically updated in personal data record maintained for Client. Edit profile page allows a customer to edit some of the information contained in his or her record. In addition, Client can obtain a copy of a data subject’s personal data record via the Identity Cloud Customer Care Portal or an entity API call.
Article 17

Data subject right of erasure.
Our clients can delete a data subject’s personal data record via our Customer Care Portal or an entity API call and the backup subsequently will be deleted automatically.