General Data Protection Regulation (GDPR)
What is the GDPR in simple terms?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for EU citizens. The GDPR aims to give EU citizens back control and transparency over their personal data, how it is used, by whom and for what purpose. Under the GDPR, personal data must be processed lawfully, fairly and in a transparent manner. As the GDPR is a regulation, it is legally binding; if you’re not compliant with the regulation then you’re breaking the law. It builds on the previous Data Protection Acts bringing more relevance to the technologies of today, in a world where data has become one of the most valuable assets of organisations. It comes into force on the 25th of May 2018 at which time businesses who do not comply may face significant fines of up to €20m or 4% of global annual turnover, whichever is greater.
Which businesses does the GDPR apply to?
The GDPR applies to any business (data controllers or processors) anywhere in the world that is processing personal data belonging to EU citizens. (Note: EU member states may have some specific exceptions applied at a national level) Personal data refers to any data from which you can identify an individual either directly or indirectly. It includes names, addresses, location information, online identifiers and special categories such as religious beliefs, political beliefs, sexual orientation, genetic data etc.
Accountability and Transparency
Under the accountability and transparency principles, businesses need to be able to clearly demonstrate proof that compliant processes are in place and their technical systems have data privacy by design and by default.
Are you a Data Controller/Data Processor or both?
The GDPR applies to both ‘data controllers’ and ‘data processors’. A ‘data controller’ determines the purposes and means for processing personal data whereas the ‘data processor’ processes personal data on behalf of the ‘data controller’. Data processors need to maintain records of personal processing activities and have legal liabilities if responsible for a data breach. It is the responsibility of the data controllers to update their contracts with the data processors ensuring they comply with the GDPR. Both can expect to be audited by the Data Protection Commissioners or Supervisory Authorities but data processors have the added pressure of being audited by the data controllers.
Sharing and Transfer of Personal Data
Under the GDPR, businesses must take all reasonable measures to ensure the transfers and sharing of personal data occur over secure channels and apply security techniques such as encryption and minimisation as appropriate. Businesses need to have real-time up to date views of their organisations internal and external transfers – the best way to achieve this is through a centralised data transfer management system so e.g. maps of transfers are always accurate and don’t rely on manual reference data updates.
The most common data breach reported by the UK’s ICO in Q4 2017 was due to personal data being emailed to incorrect recipients. Having file sharing solutions built with safeguards to mitigate such risks and which enable businesses to demonstrate compliance is key. It’s no surprise that our recent nationwide survey across 175 SMEs showed 3 in 5 IT managers have been tasked with reviewing their file sharing and data transfer solutions as part of their overall GDPR compliance project.
GDPR compliance isn’t a one-off exercise, it is an on-going requirement that starts from 25th May 2018. Putting the right technical solutions in place helps to ensure compliant processes are adhered to throughout organisations, can make passing data protection audits easier and can help to build customer trust which is the cornerstone to any good business. Start today with what you already know to be high risk and fix the easy things first!
6 Essential GDPR Requirements when Transferring Data
Data Protection by Design
Wizuda’s Compliant File Share and Compliant Data Transfer solutions are built with privacy and compliance by design and by default. Both products include granular permission and security control settings, full audit trails, a host of features built around compliance, and evidence based reporting which make passing data protection audits easier.
Under the GDPR, Data Protection Impact Assessments are mandatory wherever there is high risk.
Wizuda CDT includes full impact assessment management with the ability to link to data transfers. This helps to ensure compliance requirements are implemented at the transfer job configuration stages.
Wizuda CFS offers simple customisable impact assessment tick boxes which the user is prompted to answer prior to sharing a file. Depending on the combination of answers and determined risk level, the message will either be sent for approval or directly on to the recipient.
Wizuda supports the latest secure protocol technologies including HTTPS and SFTP, along with encryption and data tamper-proofing; this ensures your file shares and data transfers are fully secured at rest and in transit.
Principles & Safeguards
Implement appropriate data protection principles such as data minimisation and safeguards such as encryption.
The Wizuda Data Minimisation module comes as standard in both products removing the need to use separate data transformation tools. This module enables users to minimise personal data through applying anonymisation, pseudonymisation and/or exclusion techniques in accordance with the GDPR.
Wizuda also supports the latest encryption technologies for all file share and data transfer operations.
Data Retention Policies
Apply automatic data retention schedules to reduce storage costs and ensure your organisation is keeping data in accordance with its data protection policy.
The Accountability principle in Article 5 of the GDPR requires businesses to be able to demonstrate compliant processes. Wizuda’s Evidence Based Reporting provides instant visibility over all file sharing and data transfer operations making it easier to pass data protection audits.
Start your free CFS trial today
The best way to demonstrate the software’s functionality and capabilities is to experience it yourself. Sign up for our free 14-day trial today – no credit card required.