The why, the how, the who, the what, the exceptions, the consequences and the solution to GDPR compliance
The aim and goal of the EU General Data Protection Regulation (GDPR) are to both strengthen and unify the data protection rights of individuals within the European Union (EU) and at the same time address the transfer of personal data outside the EU. The compliance deadline for GDPR is May 2018; however, the amount of internal collaboration to address on how data is collected, stored, used and archived means that planning compliance to GDPR cannot wait any longer.
GDPR Compliance Requirements
The why. The principal objective of the GDPR is to give EU citizens back control of their personal data. Once GDPR takes effect it will harmonise previous and other data protection regulations throughout the EU.
The who. All global companies handling EU data incl. US companies must comply with EU laws or be subject to the consequences. The management of this EU compliance regulation will have a far-reaching impact for organisations throughout the world. With the termination of the US Safe Harbor rules, U.S. companies that transfer and handle the personal data of EU citizens will also need to comply with the new requirements.
The How. To address the array of GDPR compliance requirements, organisations may need to employ one or more altered encryption methods within both their on-premises and/or cloud infrastructure environments, including:
- Servers, including via file, application, database, and full disk virtual machine encryption.
- Stockpiling or storage, including through network-attached storage and storage area network encryption.
- Media, through disk encryption.
- Networks, for example through high-speed network encryption.
It is critical that the necessary security controls are in place be demonstrable and auditable. Therefore essential IT and data management are required to secure and protect the encrypted data and to ensure that the deletion of files complies with a user's right to be forgotten.
Organisations will at the same time document a way to verify the legitimacy of user identities and transactions in order to prove compliance.
The Exceptions. The components of GDPR implementation provide exceptions based on whether the appropriate security controls are installed within the organisations. For example, if your company is breached and has rendered unintelligible data through encryption to a hacker or any person who is not authorised to access the data, is not required to notify the affected record owners. The chances of being fined are reduced if the organisation can further demonstrate that a secure breach has taken place.
The consequences. If your team has knowledge of the data breach, under the new EU compliance standard, the following conditions may apply depending on the severity of the violation:
- Your team must notify the local data protection authority and the potential owners of the breached records
- In the event of a serious breach, the organisation could be fined up to 4% of global turnover or €20 million
The Solution. Get structured and systematic GDPR compliance help now by attending the one-day GDPR seminar (in English) on February 9th in Copenhagen. You will get a complete understanding of your data protection portfolio and how that can work together across your organisation, to provide persistent protection and management of sensitive data, which can be mapped to your (customised) GDPR roadmap and framework. For details on the seminar see: http://www.copenhagencompliance.com/gdpr/index.html