What is the GDPR?
GDPR – General Data Protection Regulation – is the new EU regulation intending to combine and strengthen data protection within the EU. This regulation was made on the 27th of April 2016 and is due to come into effect 25th of May 2018, giving time to adapt to the changes. GDPR replaces the Data Protection Directive which has become outdated as a result of the rapid advancement of technology since 1995, when the directive was first made.
The GDPR will cover all countries that process or hold the personal data of EU citizens, whether that country is a part of the EU or not. This means that Britain will still have to abide by the laws of the GDPR despite the result of the EU referendum at the end of June.
Most important changes
Some of the more important changes to legislation because of the GDPR are:
How to deal with the GDPR
The GDPR will come into force on 25th May 2018, so companies currently have just under eighteen months to ensure that they are GDPR compliant. However, any contracts or services sold between now and then which have an end date after 25th May 2018 will also fall under the new regulations. The first step is to conduct an accurate assessment of the current systems in place and to implement any changes that need to be made quickly. It is important to ensure that all personal data held by a company has a known source, as well as a way of determining the age of the personal data along with evidence of some form of consent, allowing for the lawful collection or transfer of personal data. It is also necessary to ensure that all security measures protecting the data are strong enough to meet the requirements for the GDPR as incidents of data loss through security breaches will be taken very seriously.
One of the easiest ways to prepare for the GDPR is to ensure that you are sourcing your data and telemarketing needs from a reputable, reliable, and transparent company as this will meet many of the GDPR requirements. The company themselves would have to be GDPR compliant, making sure that consent was already gained and that much of the required data protection is already built into their services. Sourcing your data from a company with these features will save you a lot of time, allowing you to focus more on other parts of the GDPR that may be more challenging to implement.
The employment of a data protection officer as soon as possible would also aid preparation greatly as not only would it fill a requirement of the GDPR, the officer could make an early assessment of processes and systems to test for compliance.
Being able to identify PII (personally identifiable information) within a company’s multiple data stores is also essential. This extends to all manner of data, including unstructured locations such as file shares, email and SharePoint, or cloud-based shared file systems such as Dropbox or Office365. This is essential, not just for the initial assessment to determine any changes needed to become compliant, but is also required on an on-going basis, making sure that users don’t create new documents containing PII that are then stored in the wrong place.
GDPR also extends the Freedom of Information, making it a legal requirement that companies show any customer the records that they hold pertinent to them. The £10 access fee will go, and the information must be presented to the customer in a timely manner, but certainly in no more than one month. If all PII data is in structured, highly controlled locations then this is relatively simple – but past experience tells us that this is rarely the case. Being able to find all data relating to an individual across multiple unstructured data sources is an essential requirement.
As technology changes, so must the legislation; so while the GDPR may make some processes more difficult for a large number of businesses, it is a necessary step that must be taken to protect the ever growing amount of personal information from people who could use that data for harmful purposes. It will become even more important to make sure that you know where your data comes from as well as exactly where and how it is being stored and processed.
Reciprocal Group Services for GDPR
Reciprocal Secure Data Analytics (RSDA) provides an innovative and comprehensive service that will help your organisation to be compliant. It does this through three key phases;
The DISCOVER phase is where you search for your organisation’s sensitive information. You need to index files stored in any format from sources like cloud, file shares and mail servers. You need to locate passwords, customer information, credit cards, salary details and company confidential records. The process starts by ingesting data from all your unstructured data sources, be that Dropbox, CIFS file shares, Exchange server, Office 365 or SharePoint. Within half an hour of the ingest starting, it is possible to start querying some data.
The UNDERSTAND phase is where you drill down into the detail of all the indexed documents, assessing the what, where, who and why of your organisation’s information. Identify content, intent, sentiment and spot sensitive information across millions of documents. Profile your sensitive, legislative, regulatory and potentially out-of-date information. Tag specific documents for subsequent action.
Finally, you need to ACT on this information. Monitor or push actions to data owners and business systems such as Classify, Modify, Move & Delete. Govern your information estate and enable automated policy enforcement through the use of on-going workflows, making sure that when new data is created which contains PII data that it is stored where it should be, and won’t leave your organisation exposed.
The search capability not only helps you assess your compliance with GDPR, but also gives you an easy way to meet the requirement to show all data that you hold about an individual when requested. And if that individual wishes their data to be removed (their ‘right to anonymity’) then RSDA can detail every specific location in your unstructured data stores where that data is.
Not only does RSDA provide the technology to crawl, index and search your data, but also gives you options for what to do when information is found that is in the wrong place.
For instance, our advanced NAS migrations can be used to move data on a file-by-file level from an older data stored to a new, encrypted and protected storage system. Equally, once data has been moved, it is also necessary to ensure that it doesn’t fall into the wrong hands. Our secure data erasure services are extended for RSDA, allowing not just entire servers, disks or LUNs to be erased, but can securely erase specific data on Windows File Servers right down to the individual file level.
RSDA provides the most complete set of tools, enabling you to become GDPR compliant, and stay compliant.