General Data Protection Regulation (GDPR) is a set of requirements, recently enacted in Europe, designed to protect data from breaches and help to ensure privacy. GDPR requires that all European companies comply with the following:
- Data protection: Companies must have policies, processes, and technology in place to ensure that data stays secure and protected.
- Data consent and rights: Individuals have to give their consent, and the consent has to be explicit and limited. Users also have the right to request data, rescind requests, and revoke consent.
- Notification of data breach: The supervisory authority must be notified of a data breach within 72 hours of discovery, unless the breach is not likely to harm a person’s rights and freedoms. The individual who owns the data must also be promptly notified of data breaches, except where there is little risk of harm, when data has been rendered unintelligible, or when notification would involve a disproportionate effort.
- Penalties: Fines can be levied up to €20 million or 4% of global revenue (whichever is greater). Individuals who are impacted by improper data handling may seek legal restitution.
- Data transfers: It is permissible to transfer data outside of Europe as long as companies establish safeguards and permissions that are in line with GDPR.
GDPR was designed for companies in Europe, but it doesn’t just apply to European companies. Any organization that does business in or operates in Europe, or has affiliations in Europe (even if it is not physically located in Europe) must also comply with GDPR. If your organization works with companies in Europe, or might work with Europe, you are required to comply with GDPR.
Keeping Data Protected
As the name states, GDPR is all about keeping data protected. Organizations have to ensure that personal data is protected. You must have proper policies, procedures, and technology in place to ensure that data is protected and stays private. Some of the key data protection aspects of GDPR include:
- Privacy by design: This mandate calls for the designing systems, from the onset, with data protection, rather than as an addition. More specifically, “The controller shall…implement appropriate technical and organizational measures…in an effective way…in order to meet the requirements of this Regulation and protect the rights of data subjects.” This portion of GDPR calls for controllers to hold and process only the data necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing.
- Right to access: GDPR states that individuals can obtain confirmation about whether their personal data is being processed, where, and for what purpose. And, an organization shall provide a copy of the personal data, free of charge, in an electronic format.
- Right to be forgotten: Also known as Data Erasure, the right to be forgotten gives an individual the right to have an organization erase his or her personal data, cease further use of the data, and potentially have third parties also halt usage of the data.
- Data portability: GDPR introduces data portability – the right for an individual to receive personal data concerning them – which they have previously provided in a format that can commonly be used (electronic format).
- Breach notification: breach notifications are mandatory when a data breach is likely to “result in a risk for the rights and freedoms of individuals.” This must be done within 72 hours of first having become aware of the breach. Organizations are also required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
GDPR makes it clear that your organization must protect personal data! Failure to comply with GDPR can have consequences, including fines and restitution (restitution would be for any harm from violating GDPR). And, imagine the reputation damage that your company will suffer when your customers learn of a GDPR violation. You need to ensure compliance.
Micro Focus can help!
GDPR requires organizations to protect against security breaches and to report identified breaches to both GDPR authorities and customers. The Micro Focus File Governance Suite helps accomplish this through data protection policies that enable nearline storage, point-in-time recovery, content control, file remediation, and identity-driven file management.
In addition to protecting data through policy, the File Governance Suite provides data protection through analysis. To further assist with GDPR compliance, authorized users can analyze the content of files. Files that include personal or secure information can then be automatically moved to more secure locations or be deleted (when appropriate).
The latest version of the File Governance Suite includes new Security Notify policies. These new Target-Driven policies enable you to analyze and be notified of changes in the security permissions for a selected target path. This way, you can be promptly notified whenever file access permissions change and then quickly take any necessary corrective measures.
The File Governance Suite helps your organization ensure that you comply with GDPR and that your data stays secure!
Learn more about managing your data requirements in this paper, “Meeting Today’s Data Governance Challenges Using File Governance Suite.”
Note: Much of this information comes from the EU GDPR website, https://eugdpr.org/.