Gdpr Is Coming!



  • When the European Union General Data Protection Regulation (GDPR) comes into force on May 25, 2018, what will happen to currently-available domain registration data in WHOIS?
  • “GDPR” stands for the General Data Protection Regulation. It is a new EU Regulation that seeks to harmonise and update the law in respect of how businesses deal with personal data. It will be formally implemented into UK law on 25 May 2018. And before you ask, Brexit won’t stop it.
  • Follow the Data. Where does your membership data come from, and what you do with it?

Having just spent a great deal of quality time with attorneys, educating the legal community about the benefits of eDiscovery in the cloud, I noticed that there is still a proverbial elephant in the room—the European Union’s General Data Protection Regulation (GDPR). Next year, thousands of corporations will have to comply with a whole new set of data management rules prescribed by GDPR. While opinions and knowledge of the GDPR varied, three questions kept cropping up:

GDPR is the comprehensive data protection regime being implemented by all 28 European Union member countries to protect the personaldata of their citizens. When Does GDPR Take Effect?

  • What is GDPR, and how can it impact my organization?
  • What do I need to do first?
  • How can I leverage the cloud to ensure compliance?
Gdpr

GDPR Explained

GDPR creates a unified set of laws and stricter regulations for EU citizen data processing, and it also specifies steep penalties for noncompliance. These penalties are in the form of administrative fines and can be imposed for any type of GDPR violation, including those that are purely procedural. Fines range from €10 million or 2% of global annual turnover to €20 million or 4% of global turnover.

Coming

The primary reasons for the new regulation are:

  1. To provide EU citizens with more power over how their own personal data is used
  2. To strengthen trust between digital services providers and the people they serve
  3. To provide businesses with a clear legal framework under which they can operate, removing any regional differences by creating a uniform law across the EU single market.

GDPR goes into effect on May 25, 2018—which leaves companies a year to prepare for drastic changes in how they handle the personal data of EU residents. Let’s explore what your organization can do to prepare for GDPR.

GDPR First Steps

Is your business subject to GDPR?
GDPR applies to a larger scope of organizations than did the Data Protection Directive (Directive 95/46/EC), its predecessor. Many businesses that were not subject to European privacy laws will, in fact, need to comply with GDPR. Here’s how to determine if you must comply:

Gdpr Is Coming 2019

GDPR applies to all organizations with a presence in the EU where personal data is processed during the performance of business activities—even a minimal footprint (such as having a single EU-based employee) suffices.

If a company without a physical presence in the EU is targeting EU residents to offer them goods and services, GDPR applies. “Targeting” includes using an EU language or currency, tailoring products to EU residents, or aggressive marketing within the EU. “Monitoring” is defined as tracking people online to create profiles or analyze and predict personal preferences, patterns of behavior, or attitudes.

Is your company required to have a Data Protection Officer (DPO)?
Different from a compliance officer or legal counsel, a DPO reports to the executive board and has the authority to monitor the company’s data processing. Organizations with 250 or more employees that handle sensitive data or criminal records must appoint a DPO. Organizations with fewer than 250 employees may or may not have to appoint a DPO, depending on whether they process sensitive data.

Are there processes in place to respond to requests to delete/amend/provide copies of data?
In addition to the rights prescribed by the Data Protection Directive—such as access to copies of data, the right to amend, and the right to restrict processing—GDPR also includes the right to online information erasure and the right to data portability (allowing people to transfer their data to another service provider). This means your company must develop thorough procedures to respond to these types of requests.

Coming!Gdpr

Does your company have an incident response plan that meets GDPR requirements?
GDPR includes a data-breach notification requirement. Data breaches are subject to a 72-hour notification of the supervisory authority if there’s a risk of harm to people. The affected data subjects also must be notified without “undue delay.”

What are your organization’s data transfer mechanisms?
If your company hasn’t determined how personal information is transferred from the EU, it’s a good time to examine your transfer mechanisms, as they are subject to administrative penalties. If your organization transfers data from the EU to the US, your options are:

  • privacy shield certification
  • execution of the model clauses
  • binding rules for intra-company data transfers

It seems the common threads in all these requirements are the allocation of more resources for data protection and governance, and a more proactive approach to privacy and security.

Druva, the Cloud, and GDPR
Offering the only cloud-native data protection SaaS on the market, Druva solutions address compliance with regulations such as GDPR head-on using the power of the public cloud:

  • Data visibility: To secure information and be compliant with GDPR requires visibility into where data lives. Druva provides the ability to protect, collect, and monitor data on endpoints, servers, and in cloud applications. This broad visibility gives you a real understanding of your company’s overall data attack surface, and it delivers actionable insight into how to deploy GDPR-compliant security mechanisms.
  • Information governance: Traditionally, data governance focused on forced data centralization, which provides visibility only into information that is stored centrally. The decentralization of data creation on mobile devices and cloud apps means companies must approach governance differently. Druva allows you to centralize your data-source policy management and enforcement to bring in de-centralized data in a way that’s compliant with GDPR.
  • Continuous data monitoring: GDPR requires data processors to monitor the security of their information no matter where it lives. With Druva, you’re able to automate proactive monitoring for compliance violations, regardless if that data is on a traditional endpoint or in a cloud application.
  • Secure transfer: With GDPR, security follows the data of all EU citizens, no matter where that data resides. Druva uses industry-leading, standards-based TLS 1.2 and AES 256 encryption with unique customer keys, paired with simplified and integrated key management. Druva can also prevent data from leaving the EU, in the event that you’ve not yet established acceptable transfer mechanisms.
  • Right to Be Forgotten/Right to Erasure: One of the major provisions and challenges facing organizations with GDPR is how to erase information at the request of EU residents in order to prevent any subsequent data process. While there are some caveats with this provision of GDPR, any lawful requests for erasure must be handled in a timely manner. Druva provides defensible deletion capabilities that enable you to comply with erasure requests—including a complete audit trail to prove the information was deleted.

Gdpr Is Coming Back

Druva blog content originally published on the GDPR Report

Is Gdpr Coming To The Us

Recommended Reading