Sometimes it feels like technology evolves at the speed of light. With that rapid change comes a predictable cycle of security pitfalls and the need for increased consumer protections. This is especially true when it comes to data protection, which is squarely addressed by the EU’s new GDPR privacy standards. This is the first in a series of blogs on GDPR and the impact it will have on customers today.
General Data Protection Regulation (GDPR) – in effect as of today – is a new European Union (EU) regulation designed to strengthen data protection. While GDPR is an EU privacy law, and specifically created for EU residents, it, in fact, applies worldwide. Any company controlling or processing Personally Identifiable Information (PII) of EU residents must comply with GDPR, regardless of the location.
Think Facebook, which connects people from all over the world – as long as collection of personal data of EU residents is involved, so is GDPR.
As a privacy law, GDPR imposes a broad set of legal, governance, and technical requirements on companies processing personal data. A subset of these requirements – those related to data protection and data management – are particularly relevant for storage platforms, which store personal data. This is because visibility into data is critical to any organization, yet compromising decisions are often made when it comes time to moving data to more cost-effective locations, such as cloud platforms. Guidelines in this area have been vague and therefore behavior has been inconsistent.
In the U.S., compliance with the FIPS (Federal Information Processing Standard) cryptographic standard has been a critical step toward providing security assurances to customers. But GDPR compliance will help provide additional privacy guardrails relating to personal data because the law ensures data protection safeguards are built into products and applications.
GDPR has taken a bad rap during the years leading up to its official enactment, as vendors scurried to become GDPR-compliant, and mulled the possibility of an infraction of the forthcoming law. For example, companies will be required to notify their national supervisory authority within 72 hours of data breaches that put individuals at risk.
As such, GDPR represents a major increase in investigative and enforcement powers, with non-compliance fines as high as 4% of global annual turnover!
But now that the day has come, there are many positives to being GDPR-compliant. Given today’s climate of concerns over data breaches and over- (or even illegal-) sharing of personal information (again, think Facebook), customers will gravitate to companies that boast more data protection. GDPR benefits any customer that prizes protection of personal data (aka everyone).
Moreover, there is a level playing field since everyone (vendors and customers alike) has to follow the same rules. With GDPR, a single European law for data protection will replace a variety of national laws that were scattered across the EU. That inconsistent privacy framework was ineffectual at best, and cost businesses more.
An important step toward GDPR-compliance for organizations is having a GDPR-compliant data protection solution. Data protection is foundational to GDPR and should provide customers the ability to manage who has access to data, and provide role-based access.
In addition, a GDPR solution needs to provide search to find EU citizen data, as one of the major new requirements is the ‘right to be forgotten’, and then the ability to delete. To learn more about how Cohesity can provide assistance in these areas, take a look at our new security and compliance page.
In the meantime, we have some tips on how to be confident your organization is GDPR-compliant:
Know your data
Record what personal data you hold, where it came from, and who has access to it. Ensure the data came with consent. Organize or plan for an information audit.
Know your privacy statements
Bring your management and top leadership up to speed on GDPR mandates, review your current privacy policies and notices, and document plan.
Adjust to the new timescales
Know the time periods for either servicing or denying a subject-access request. Know how to handle breaches and how soon to inform authorities upon awareness of one.
Re-think data protection
Data needs to be protected from breach, damage, or loss by design and by default. Some companies in certain industries may need to appoint a Data Protection Officer. Find out if you do, too.
Most important: Document as many changes and plans as you can. Demonstrating Intention to comply and having a roadmap of process changes and technical measures is what counts the most right now!
Not having all measures executed is okay – just show the willingness to undertake the execution of measures you have planned.
As GDPR is a journey, not a destination, we’ll be sure to keep you updated, so stay tuned for future posts on GDPR!