Shufti GDPR Review 2018: How we protected our clients from regulatory fines?

Shufti stands out in KYC industry not only because of its highly customizable and global identity verification services but because of the unique regulatory protection provided by Shufti to its customers. After all, the collection of personal information to authenticate the true identity of an end-user puts both Shufti and its customers at a substantial risk. Regulators from all over the world have put forward strict privacy laws and regulations that not only dictate strict guidelines for personal data collection but also want companies to follow set rules when it comes to using personal information of a common user.

GDPR was one of the most comprehensive and powerful regulations introduced a couple of years back and July 2018 was the deadline for businesses to become GDPR Compliant. This set of rules was applicable for businesses that were either based within the European Union or even those that were based outside of EU but provided services to its citizens. In order to safeguard its customers from multi-million dollars fines – fines for businesses found in breach of GDPR – Shufti aligned its verification services in line with GDPR specific guidelines.

GDPR guidelines for Identity Verification Services by Shufti

GDPR never had any specific guidelines set out for identity verification services or for third party KYC service providers. In fact, it was a generic set of instructions for any business that was collecting personal information of its customers and the privacy guidelines that these businesses have to follow.

As a third-party verification service that was verifying the identity and financial risk attached to customers of online businesses, Shufti designated a special role for itself as per the specific terminology introduced by GDPR i.e. processor of data. This made our clients collecter of personal information in order to verify the identity of incoming users.

Read: Try Shufti KYC Services Free of Cost for 7 Days Now

It meant that although, Shufti was the business entity that was tasked to verify the personal information claimed by end-user it was the responsibility of Shufti client to secure that data. On our own end, the collected information was secured from not only any brute force attack but special protocols were developed to delete the collected data, when a request was received either from Shufti client but also from an end-user as well.

KYC Verification procedure under GDPR

Shufti only collects data for verification purposes as per the legal agreement signed by Shufti and its customers. This data will be limited to verification of the credentials, identity or any other related verification that was required by our customers to be provided as per the legal agreement. We have even added a consent button at the form where a customer is supposed to fill its identification details. We also provide the option for customers to go through our data protection, privacy policy and Terms & Conditions, to ensure full transparency.

Access Rights

User can request access to the personal data he has shared with Shufti about himself. Personal data is anything identifiable, like his name and email address. If he requests access, Shufti (as the processor) need to provide a copy of the data, in most cases in machine-readable format (e.g. CSV or XLS). Daniel can also request to see and verify the lawfulness of processing. A client can seek access to their data by asking Shufti of what they require at [email protected]. We at Shufti believe to be at legal and moral obligation to facilitate any manner of an individual rights request. Shufti enables you to grant any access request by easily exporting user record into a machine-readable format.

Deletion Rights

Under the GDPR, the user has the right to request that Shufti delete all personal data it has collected from him. The GDPR is required to permanently remove userís contact from their database, including verification results, all personal information, saved images/video, form submission data, and credit card data. In a GDPR compliant manner, a client can seek to have their data deleted by querying Shufti at [email protected]. The Data protection officer at Shufti in most cases will respond back within a 30 day period. In many cases, the right to deletion is not absolute and can depend on the context of the request, so it doesnít always apply.