Implications of the GDPR on OneSpan Threat View

The security and privacy requirements related to the processing and storage of personal data regulated in the GDPR impact OneSpan Threat View and its components. Threat View collects threat event information from OneSpan Mobile Application Shielding to provide insights into the exposed risk for the individual threat event types.

Types of personal data in OneSpan Threat View

As part of the data collection, the Threat View Client SDK adds the following information to the event information:

• User ID

  A unique user identifier, identifying a mobile application (end) user. This field is optional.

  If you include the user ID in the event information, we recommend to apply pseudonymization.

• Geolocation information

  The Threat View library in the mobile application collects the geolocation coordinates of the mobile device and includes this with every event. For collecting the location, two types of granularity exist:

  • Coarse: the geolocation data is sufficiently vague not to uniquely identify the mobile user.

  • Fine: the geolocation data can be used to uniquely identify a user.

  The granularity is configured by the integrator in the mobile app and the Threat View SDK uses what has been configured.

This event information is stored in the Threat View back end, in the events database.

In addition, the Threat View Server supports managing customer administrators (i.e., your administrators). For these administrators, Threat View collects the following information:

• user name (required)

• display name (optional)

• phone number (optional)

• email address (optional)

The user information of your administrator(s) is stored in the Threat View identity management database.

To comply with GDPR and to ensure that aspects such as security of processing are achieved, personal data must be encrypted, both when at rest and when in transit. OneSpan Threat View must be configured to be compliant in regards to encrypting stored data (data at rest), as well as encrypting the communication flow of the data (data in transit).

Data encryption

If your organization is impacted by the General Data Protection Regulation (GDPR), you must ensure that the GDPR requirements are met, and to have the adequate encryptions in place both for data in transit and data at rest!

Data in transit refers to data that are actively moved from one place to another, e.g. across the Internet or through a private network. For Threat View, this is data exchanged between your infrastructure and mobile applications or administrator browsers.

Data portability: exporting personal data

The GDPR foresees for an individual the right to receive data connected to them, that is stored or processed, and personal data, which they supplied, in a structured, common, and machine-readable format.

You need to export personal data of your end users on the events database, if required, and provide them to the users. This only applies, however, if you have configured the userID field as part of the OneSpan Threat View Client SDK integration. You also need to consider the export of Threat View administrators’ personal data, if required.

Deleting personal data

You need to delete personal data of your end users from the events database, if required. This only applies, however, if you have configured the userID field as part of the OneSpan Threat View Client SDK integration. You also need to consider the deletion of your Threat View administrators’ personal data, if required.