General Data Protection Regulations (GDPR)

The new General Data Protection Regulation (GDPR) becomes effective from the end of May 2018. GDPR affects all organisations across the globe who have customers or commercial activities in the European Union (EU). The main focus of GDPR concern the storage and management of Personally Identifiable Information (PII), with specific definitions that are broader and more stringent than any previously regulations. Compliance with GDPR is likely to be difficult, with significant penalties for non-compliance.

Many businesses, educational institutions and government agencies are required to provide careful management of PII data wherever it is found in the organisation, and simple audits will not ensure compliance. Reciprocal’s Ikon Compliance Analytics Portal (RICAP) provides Data Protection Officers (DPO), Chief Information Security Officers (CISO), Corporate Legal counsel and others the ability to detect, analyse, and report compliance of data systems that contain regulated data.

RICAP Overview
RICAP is built with (DPO) Data Protection Officers, (CISO) Chief Information Security Officers, Corporate Legal counsels and organisation teams whose job it is to ensure compliance with required rules and regulations. RICAP has a rich set of functional capabilities in giving a comprehensive ability to an Organisation to stay on top of GDPR compliance process and requirements, covering:

Data Discovery

  • Focus on Known Data
  • Assessment to Detect Unknown Data
  • Backup/DR and Mobile data systems

Scheduled Ingest

  • Structured Ingest Tools
  • Unstructured Search/Scan tools
  • Media Files (using metadata)

Compliance

  • GDPR Compliance Status
  • Request Compliance
  • Dashboard
  • Regulatory Reporting

Business Focused User Experience
RICAP is designed with the latest frameworks for desktop and mobile responsiveness and ease of use. The forms, reports, wizards and dashboard are designed with simplicity in mind while providing robust analytical insights into the base data, helping you to track your journey to becoming fully GDPR-compliant.

Comprehensive Portal for Compliance Analytics
Traditional compliance management applications and systems generally focus on documents, articles, without robust continuous measurement and tracking features offered by RICAP. The metadata collected on PII data items that are related to Data Subjects helps provide a base for dashboards and reports with current status of compliance to the smallest frequency of measurement the Organisation requires to stay current on. RICAP comes out of the box with many useful dashboards and reports, custom and additional dashboards and reports can be published with minimal effort.

RICAP Value
RICAP is designed for ability to scale based on the Organisational size and complexity. Implementation methodology is designed to get the system installed and running with minimal effort possible to start providing insights into data and compliance management.

The General Data Protection Regulation (GDPR)
(Regulation (EU) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. The Commission’s primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA.

eu-data-protection-regulation

The GDPR provides the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

What information is an individual entitled to under the GDPR?
Under the GDPR, individuals will have the right to obtain:

  • Confirmation that their data is being processed;
  • Access to their personal data; and
  • Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice.

Timeline

  • 21 October 2013: European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) had its orientation vote.
  • 15 December 2015: Negotiations between European Parliament, Council and Commission (Trilogue) have resulted in a joint proposal.
  • 17 December 2015: European Parliament’s LIBE committee voted positively on the outcome of the negotiations between the three parties.
  • 8 April 2016: Adoption by the Council of the European Union.
  • 14 April 2016: Adoption by the European Parliament.
  • The regulation entered into force 20 days after its publication in the EU Official Journal on May 4th, 2016. Its provisions will be directly applicable in all member states two years after this date.
  • It shall apply from 25 May 2018.

The biggest challenge might be the implementation of the GDPR in practice:

  • The implementation of the EU GDPR will require comprehensive changes of business practices for companies that had not implemented a comparable level of privacy before the regulation entered into force (especially non-European companies handling EU personal data).
  • There is already a lack of privacy experts and knowledge as of today and new requirements might worsen the situation. Therefore, education in data protection and privacy will be a critical factor for the success of the GDPR.
  • The European Commission and DPAs must provide sufficient resources and power to enforce the implementation and a unique level of data protection has to be agreed upon by all European DPAs since a different interpretation of the regulation might still lead to different levels of privacy.
  • Europe’s international trade policy is not yet in line with the GDPR.
  • The new regulation conflicts with other non-European laws and regulations and practices (e.g. surveillance by governments). Companies in such countries should no longer be considered acceptable for processing EU personal data. See EU-US Privacy Shield.

Sanctions
The following sanctions can be imposed:

  • A warning in writing in cases of first and non-intentional non-compliance.
  • Regular periodic data protection audits.
  • A fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
  • A fine up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

IT Impact

  • Review all IT I/S – undertake compliance assessment.
  • Trigger for integrated Compute DB and storage.
  • All archive data needs to be indexed.
  • Secure Object store, or Centera, with data tracking.
  • Significant data tracking requirements.
  • Close control of data storage location DC’s in EU.