Identity Cloud and GDPR Compliance

Akamai is focused on data protection and privacy, including compliance with the European Union General Data Protection Regulation (GDPR). As such, the Akamai Identity Cloud has implemented a privacy program and best practices to help maintain compliance with its contractual commitments and applicable privacy laws. 

The Identity Cloud's privacy practices are reviewed annually by TrustArc (TRUSTe® ) and annually audited by an independent auditor as part of the Identity Cloud's SOC2 Type II audit for all five Trust Principles. The first table below lists key GDPR article requirements for data processors and addresses how Akamai meets them. The second table lists key data subject rights and addresses how Identity Cloud services helps Clients satisfy them. For further discussion of how Akamai treats personal data, please see the Identity Cloud Privacy Policy

Meeting Key GDPR Requirements for Processors

Requirement Compliance

Article 28 (1)

Processors must implement appropriate technical and organizational measures so processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Akamai and its underlying data hosting services provider, Amazon Web Services (AWS), have implemented appropriate technical and organizational safeguards to protect the personal data that the Identity Cloud processes for its Clients against accidental or unlawful destruction or loss, alteration, and unauthorized disclosure.

These safeguards, which include scoped access, encryption of data in transit and at rest, data backup, and a tested BCDR plan, are audited by accredited, independent third parties on a regular basis. Our information security management system has been certified as compliant with ISO 27001 and 27018 standards and our processing system has been determined by a Service Organization Controls (SOC) 2 Type II audit to be compliant with the Security, Availability, Data Integrity, Confidentiality, and Privacy Trust Principles and related criteria established by the AICPA.

Akamai practices privacy by design so it can consider and address privacy concerns at an early stage of product development. 

Article 25

Data Protection by Design and Default

Akamai assists its Clients in meeting the data protection by design and default requirements by taking a proactive approach in making sure appropriate levels of data protection are applied at the Identity Cloud product development stage and in our data processing. Akamai offers the creation of segments and the means to create anonymous data sets.    

Article 28(2),(4)

Processors may only appoint sub-processors with the permission of the controller and must require permitted sub-contractors to implement appropriate measures to meet the GPDR.

Our sub-processor, AWS, is identified in our service agreements with our Clients. Akamai will not contract with any sub-processor of personal data without permission of the Client. Akamai's contracts with its sub-processors require that they have implemented appropriate technical and organizational measures to meet GDPR requirements.

Article 28(3)

Processors agreements with controllers must specify certain processor restrictions and obligations supporting GDPR compliance, including that the personal data they process are kept confidential.

Akamai has entered into Data Protection Agreements or similar amendments with its Clients as needed to provide that Akamai will:

  • Only act on the Client's instructions as documented in the service agreement;
  • Impose confidentiality obligations on all personnel who process the relevant data;
  • Ensure the security of the personal data that it processes;
  • Abide by the rules regarding appointment of sub-processors;
  • Implement measures to assist the Client in complying with the rights of data subjects;
  • Assist the Client in obtaining DPA approval where required;
  • At the Client's election, either return or destroy the personal data at the end of the relationship (except as required by EU or Member State law);
  • Provide the Client with information necessary to demonstrate GDPR compliance and permit audits.

All Identity Cloud employees and any third party authorized to process data, such as AWS, are under appropriate contractual obligations of confidentiality. Akamai trains all new employees about their confidentiality, privacy and information security obligations as part of their new employee training and provides regular trainings thereafter.

Article 29

Process only under controller instructions.

Akamai service agreements with its clients and permitted sub-processors reflect this requirement.

Article 30(2)

Maintain record of processing activities as required.   

Akamai maintains for each Client in scope a record that provides relevant contact information and identifies, among other things, the country and region where the data is hosted, the categories of processing carried out for the Client, the customer data fields hosted for the Client, required information regarding any transfers to a third country or international organization, and a general description of its technical and organizational security measures. 

Article 32

Implement security safeguards appropriate to the risk.

As stated above with regard to Article 28 requirements, Akamai has implemented appropriate safeguards to protect the personal data it processes and the privacy of the affected data subjects, including the safeguards specifically noted in Article 32, such as encryption of personal data in transit and at rest.

Article 33

Notification of data breach without undue delay.

Akamai systems monitoring controls assist in detecting a data breach. Akamai has implemented an Information Security Event Management Policy and procedures and a related Communication Policy to support our notification without undue delay to Clients of any breach. These policies and procedures are part of our ISO 27001:2013 - certified Information Security Management System.

Articles 45, 46

Restrictions on cross-border transfers.

Clients may choose to have their customer data hosted in any region where Akamai offers hosting through AWS. To address client concerns regarding any transfer of personal data from the EU to the United States, Akamai has certified its adherence to the E.U.-U.S. Privacy Shield framework. Akamai will enter into the EU Standard Contractual Clauses with a Client where deemed appropriate. Akamai has entered into the EU’s Standard Contractual Clauses for processors with AWS.

Enabling Identity Cloud Client GDPR Compliance

Requirement Compliance

Articles 4(11), 6(1)

Controller must demonstrate that informed consent has been affirmatively provided by data subject for each distinct purpose of processing.

Our platform enables personal data to be shared knowingly by Client customers from the social platforms of their choice or entered by the customer on a granular basis with notice to, and the affirmative (checkbox) consent of, the Client customers via permission screens. This functionality enables our Clients to explain to their customers the purpose or purposes for processing in the registration workflow.

Email opt-out/opt-in options are configurable as part of Identity Cloud registration flows. Akamai maintains an audit trail evidencing consent and detailing changes to customer personal data records. In addition, Akamai provides the ability for Client to receive real time notification of customer personal data record changes and deletions.

Article 7(3)

Data subject has right to withdraw consent as easily as consent was given.

Akamai can provide a consent withdrawal mechanism as part of its registration and consent flows.

Article 8

Parental consent is required for processing of personal data of children under 16 (or younger pursuant to Member State law).

Akamai has age gating functionality to protect against knowing acceptance of personal data from children under the age determined by Client and to inform the child that parental consent is needed.

Articles 15, 20

Data subject has rights of access to copy of the personal data undergoing processing and to data portability.

Client can obtain a copy of a data subject’s personal data record via the Identity Cloud Customer Care Portal or an entity API call.

Articles 5(1)(d),16

Data subject has right to rectify inaccurate data.

Data subject changes to social identity shared with Client are automatically updated in personal data record maintained for Client. Edit profile page allows a customer to edit some of the information contained in his or her record. In addition, Client can obtain a copy of a data subject’s personal data record via the Identity Cloud Customer Care Portal or an entity API call.

Article 17

Data subject right of erasure.

Our clients can delete a data subject’s personal data record via our Customer Care Portal or an entity API call and the backup subsequently will be deleted automatically.