GDPR: The General Data Protection Regulation (GDPR) significantly changes how both EU-based companies and companies doing business in the EU handle their data. If you are preparing for GDPR compliance or any type of data privacy, there are a few data governance capabilities that you should know about so that your organization can still perform effective data analytics, including analysis of historical data? Here are a few best practices and key privacy options that any organization should follow:
Even if there were no GDPR or other data-privacy laws, it’s simply good data-management practice to anonymize records once they’re no longer being actively managed. This preserves only the necessary, anonymous historical information for future reporting and analysis.
Data retention periods
Organizations should establish and set a defined retention period for the personally identifiable data contained in their records.
Another option for clients is the deletion of records. If a client wants to delete any record containing personally identifiable information, they can choose to permanently delete the record in which case it is removed completely from RStor’s facilities.
In some situations, your enterprise may hold the personally identifiable data of someone who objects to your company possessing that data. In this case, clients can lock records so that no data processing of those records will take place. Locked data is hidden from all users (except the administrator) and does not appear in any reports generated.
GDPR and General Data Privacy
GDPR is not unique to the EU but rather is part of a trend under which the privacy rights of individuals are gaining ever-greater levels of protection. India will soon be rolling out new privacy laws similar in nature and scope to GDPR. Adding to the sense of inevitability around those forthcoming regulations, India’s supreme court ruled in September 2017 that privacy is a fundamental right of its citizens.
A key feature of GDPR is its strong extraterritorial reach. Prior to GDPR, the EU Data Protection Directive did not regulate businesses outside the EU unless the collection or processing of personal data took place within the EU (for example, if a company had a data center in the EU).
With GDPR, however, extraterritorial reach has expanded dramatically. The GDPR not only applies to organizations located within the EU but it also applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Organizations should understand that they don’t have to have a data breach to be subject to administrative action and fines. The supervisory authorities intend to audit organizations and administer fines based on inadequate technical and organizational measures. Technical measures include, for example, encryption and anonymization and how they have been applied. Organizational measures include data protection governance, structure, training and awareness, and segregation of duties.
The big questions
Organizations subject to GDPR are grappling with these kinds of questions now that GDPR has gone in effect: What data do we have? Where does it reside? Do we have the right protections in place to protect that data? How will we manage it and document our management practices in light of GDPR’s requirements?
To become GDPR-compliant, organizations are establishing policies and procedures that ensure accountability and transparency in terms of how they manage and process the personal data in their possession. In practice, that means:
- Data mapping
- Establishing formal data retention policies and procedures
- Putting more robust information security and privacy programs in place
- Updating their privacy notices and policies
- Implementing the necessary technical, physical, and organization controls
- Putting programs into place to respond to data subjects’ requests, including data rectification, data portability, data subject access, and data erasure
- Demonstrating compliance through documentation and extensive record keeping, almost at a record level.
Working with business partners and technology vendors
GDPR requires organizations to review, re-engineer where necessary, and document all of their business practices, including their relationships with technology vendors. Here, it’s important to ask the same questions of your technology vendors that you ask of yourself.
As a data controller, GDPR requires you to take steps to work with technology vendors (usually classified as processors) who are GDPR compliant. After all, organizations can be fined or subjected to administrative action for working with technology partners who are not GDPR-compliant.
For additional information please visit the EU’s GDPR site at http://eugdpr.org/the-regulation/gdpr-faqs/