The GDPR’s requirements are well established.
Its repercussions are severe. So where do you start?
Are you prepared?
The General Data Protection Regulation (GDPR) was designed to harmonize data privacy laws across Europe. It emphasizes transparency, security and accountability by businesses, and aims to standardize and strengthen the rights of European citizens for data privacy. It replaces the existing data protection framework under the EU Data Protection Directive (DPD).
The GDPR is a holistic approach to data protection that requires businesses to adopt processes and procedures on the collection of data, and the storage and lifecycle management of the personal data of its customers, contacts and employees. And it’s having a global impact – reshaping the way organizations across the world approach data privacy.
The GDPR is a global concern. It applies to all companies processing and holding the personal data of persons residing in the European Union, regardless of the company’s location.
GDPR’s Key Changes
Many of the main concepts and principles of GDPR are much the same as those found in the current Data Protection Acts 1988 and 2003.
That being said, GDPR introduces new elements and significant enhancements, which will require detailed consideration by all organizations involved in processing personal data. Some elements of GDPR will be more relevant to certain organizations than others, and it is important (and useful) to identify and map out those areas that will have the greatest impact on your business model.
Some key changes however, include:
Key Changes to Policy
Privacy by Design
The GDPR calls for the inclusion of data protection from the onset of the designing of systems and processes, rather than just as an addition. Businesses need to develop process that outlines what information, and for what use, personal data is being retained – and how the data is being collected, where the data is located, and for how long the data will be stored. Data Controllers must hold and process only the data absolutely necessary for the completion of duties, as well as limit access to personal data only to those necessary for processing. Some businesses may need to appoint a Data Protection Officer (DPO).
The GDPR does away with the criterion of number of employees and focuses instead on what organisations do with personal information. Any company, regardless of location, that processes the personal data of an EU resident is subject to the GDPR. Any non-EU businesses that process the data of EU citizens must appoint a representative in the EU.
Fines for non-compliance of the new GDPR regulations are significant. Businesses can be fined from 2% of global revenue for not having their files in order (Article 28) up to 4% of annual global revenue or €20 million (whichever is greater) for breaching the GDPR.
When an individual provides consent for the use of their data, consent must be easy to understand, and it must just be as easy to withdraw consent as it was to give it. Why the data is being collected, and for what purpose(s) must be conveyed in a concise form, in laymen’s terms – no legalese.
Key Changes to Data Subject Rights
Right to Access
Individuals can get confirmation of what personal information is being processed, where it is being stored, and why their information is being held. If EU citizens wish to know, a Controller must provide electronic copies of this data to the individual, free of charge.
Right to be Forgotten
Individuals are entitled to have their data erased, ceased from further dissemination, and potentially have third parties halt processing of data. In the case that their data is no longer relevant to why they originally gave their information, they may also have their data erased.
Right to Data Portability
The right to data portability allows individuals to obtain and reuse their data for their own purposes across different services. It allows them to move, copy, or transfer personal data easily from one IT environment to another in a safe and secure way.
Right to Notification
In the event of a data breach, businesses are required to notify their Data Protection Authority (DPA) within 72 hours of the breach. Individuals are also entitled to be notified in the event of a breach of their personal data.
FileFacets for Data Subject Rights
FileFacets provides the platform and methodology to help businesses comply with the GDPR. With years of experience in information governance, we provide the tools for acquiring data from multiple sources and identifying Personally Identifiable Information (PII).
The FileFacets platform allows you to scan multiple sources and repositories to locate and identify any Personal Identifiable Information (PII) or sensitive data that your organization may possess. The Analytics tool can be regularly run so that any new content that is being created that contains PII can be flagged, moved, deleted or secured in a safe environment.
FileFacets can be used in a number of ways to solve for data protection and information management requirements, from planning through to execution, of a businesses’ GDPR strategy.
Data Discovery & Data Protection
FileFacets can be used for data discovery and content analytics for a businesses’ Data Protection Impact Assessment (DPIA) to:
- Identify documents that contain personal data in each repository.
- Identify document types and categories that are likely to contain sensitive or personal data.
- Define automated data processing rules to mitigate risk.
- FileFacets can be used for on-going reporting on personal data across the enterprise, identifying what files contain personal data, and where they reside.
FileFacets can be used for risk mitigation by establishing processes and procedures for the handling of files that contain personal data by:
- Applying file classifications and attributions to sensitive files.
- Automating business processes for sensitive data handling.
- Migrating or auto-archiving sensitive documents to a secure location.
For reporting requirements for internal governance, or for the external Data Protection Authority (DPA), FileFacets can:
- Identify all files across multiple repositories, email and desktops in an organisation.
- Identify all documents and records containing personal data that may have been affected in the event of a data breach.
- Produce a comprehensive list of records that contain personal data, by repository, by subject, etc.
- Export or copy files that were affected by a breach.
Data Subject Rights
For the regulations’ directive for transparency, FileFacets can easily locate, produce, and action certain files containing personal data to meet the requirements for:
- Right to Access: where an individual requests to view and retain a copy of all of their personal data being held by an organization
- Right to Data Portability: where an individual requests to retain a copy to move their personal data records to another business or service provider
- Right to be Forgotten: where an individual requests to have their personal data removed from a business’ data stores
- Right to Notification: reporting on compromised data in the case of a breach of an individual’s personal data
For ongoing data maintenance of repositories, FileFacets can assist in implementing best practices in information management (IM) and information governance (IG) including the:
- Rationalizing, organizing, and the enabling of Enterprise Content Management (ECM) best practices.
- Classification, attribution, and organization of content across multiple repositories
- ROT processing (purging of Redundant Obsolete and Trivial data), content classification, taxonomy implementation, metadata attribution, and multi-repository migration.
FileFacets’ process for GDPR readiness is a series of data analytics, advanced searches and business processes that ensure users:
- Understand what data they have.
- Identify personal data in their data stores.
- Put business processes in place to best protect sensitive data, and
- Have the ability to retrieve records that contain personal data should a request be made.
Delivers a single enterprise-wide view of all content across multiple repositories.
Eliminates all files that are Redundant, Obsolete, and Trivial (ROT) in data stores.
Define Search Text
Define customer and/or search terms to search for personal data.
Find & Flag
Perform searches on all data stores to locate and flag files that contain personal data.
Define actions or business processes for each type of personal data.
Set up scheduled scans to search for new content and content changes.
Find out exactly how we apply our methodology to GDPR, as well as how we solve for GDPR Data Subject Rights.
Download our FileFacets for GDPR Solution Overview whitepaper.