Having just spent a great deal of quality time with attorneys, educating the legal community about the benefits of eDiscovery in the cloud, I noticed that there is still a proverbial elephant in the room—the European Union’s General Data Protection Regulation (GDPR). Next year, thousands of corporations will have to comply with a whole new set of data management rules prescribed by GDPR. While opinions and knowledge of the GDPR varied, three questions kept cropping up:
- What is GDPR, and how can it impact my organization?
- What do I need to do first?
- How can I leverage the cloud to ensure compliance?
GDPR creates a unified set of laws and stricter regulations for EU citizen data processing, and it also specifies steep penalties for noncompliance. These penalties are in the form of administrative fines and can be imposed for any type of GDPR violation, including those that are purely procedural. Fines range from €10 million or 2% of global annual turnover to €20 million or 4% of global turnover.
The primary reasons for the new regulation are:
- To provide EU citizens with more power over how their own personal data is used
- To strengthen trust between digital services providers and the people they serve
- To provide businesses with a clear legal framework under which they can operate, removing any regional differences by creating a uniform law across the EU single market.
GDPR goes into effect on May 25, 2018—which leaves companies a year to prepare for drastic changes in how they handle the personal data of EU residents. Let’s explore what your organization can do to prepare for GDPR.
GDPR First Steps
Is your business subject to GDPR?
GDPR applies to a larger scope of organizations than did the Data Protection Directive (Directive 95/46/EC), its predecessor. Many businesses that were not subject to European privacy laws will, in fact, need to comply with GDPR. Here’s how to determine if you must comply:
GDPR applies to all organizations with a presence in the EU where personal data is processed during the performance of business activities—even a minimal footprint (such as having a single EU-based employee) suffices.
If a company without a physical presence in the EU is targeting EU residents to offer them goods and services, GDPR applies. “Targeting” includes using an EU language or currency, tailoring products to EU residents, or aggressive marketing within the EU. “Monitoring” is defined as tracking people online to create profiles or analyze and predict personal preferences, patterns of behavior, or attitudes.
Is your company required to have a Data Protection Officer (DPO)?
Different from a compliance officer or legal counsel, a DPO reports to the executive board and has the authority to monitor the company’s data processing. Organizations with 250 or more employees that handle sensitive data or criminal records must appoint a DPO. Organizations with fewer than 250 employees may or may not have to appoint a DPO, depending on whether they process sensitive data.
Are there processes in place to respond to requests to delete/amend/provide copies of data?
In addition to the rights prescribed by the Data Protection Directive—such as access to copies of data, the right to amend, and the right to restrict processing—GDPR also includes the right to online information erasure and the right to data portability (allowing people to transfer their data to another service provider). This means your company must develop thorough procedures to respond to these types of requests.
Does your company have an incident response plan that meets GDPR requirements?
GDPR includes a data-breach notification requirement. Data breaches are subject to a 72-hour notification of the supervisory authority if there’s a risk of harm to people. The affected data subjects also must be notified without “undue delay.”
What are your organization’s data transfer mechanisms?
If your company hasn’t determined how personal information is transferred from the EU, it’s a good time to examine your transfer mechanisms, as they are subject to administrative penalties. If your organization transfers data from the EU to the US, your options are:
- privacy shield certification
- execution of the model clauses
- binding rules for intra-company data transfers
It seems the common threads in all these requirements are the allocation of more resources for data protection and governance, and a more proactive approach to privacy and security.
Druva, the Cloud, and GDPR
Offering the only cloud-native data protection SaaS on the market, Druva solutions address compliance with regulations such as GDPR head-on using the power of the public cloud:
- Data visibility: To secure information and be compliant with GDPR requires visibility into where data lives. Druva provides the ability to protect, collect, and monitor data on endpoints, servers, and in cloud applications. This broad visibility gives you a real understanding of your company’s overall data attack surface, and it delivers actionable insight into how to deploy GDPR-compliant security mechanisms.
- Information governance: Traditionally, data governance focused on forced data centralization, which provides visibility only into information that is stored centrally. The decentralization of data creation on mobile devices and cloud apps means companies must approach governance differently. Druva allows you to centralize your data-source policy management and enforcement to bring in de-centralized data in a way that’s compliant with GDPR.
- Continuous data monitoring: GDPR requires data processors to monitor the security of their information no matter where it lives. With Druva, you’re able to automate proactive monitoring for compliance violations, regardless if that data is on a traditional endpoint or in a cloud application.
- Secure transfer: With GDPR, security follows the data of all EU citizens, no matter where that data resides. Druva uses industry-leading, standards-based TLS 1.2 and AES 256 encryption with unique customer keys, paired with simplified and integrated key management. Druva can also prevent data from leaving the EU, in the event that you’ve not yet established acceptable transfer mechanisms.
- Right to Be Forgotten/Right to Erasure: One of the major provisions and challenges facing organizations with GDPR is how to erase information at the request of EU residents in order to prevent any subsequent data process. While there are some caveats with this provision of GDPR, any lawful requests for erasure must be handled in a timely manner. Druva provides defensible deletion capabilities that enable you to comply with erasure requests—including a complete audit trail to prove the information was deleted.
Druva blog content originally published on the GDPR Report