GDPR, Data Security and you.

Not surprisingly data security is more important today than it ever was, with the increasing volume of personal data being stored and used online and our daily lives being shaped by cloud-based services and solutions, it is critical that this data remains secure and under our control .

To cope with the demand for private and enterprise cloud services by users and customers, and the enterprises need to remain competitive in an always-on digital world, cyber security has become the core defence and protection mechanism for users and clients data in the cloud era.

But can you answer the following questions about the current personal data stored by your organisation?

Do you know where all your users and clients personal data is stored in your network?

Who has access to it? (and who should have access to it)

Has your environment been breached?

Can you enforce separation of duties?

If the answer to all or some of these questions is No or Not Sure then read on.

As you may or not be aware , in April/ May 2016 the EU began implementing the new General Data Protection Regulation (GDPR) and it entered into force and began a two-year transition phase in all EU member states and on May 25, 2018 , all EU organisations will have to comply with it from that date. 

Even with the result of the 23 June 2016 referendum on membership of the EU, it still means that the UK Government needs to consider the impact on the GDPR and ensure companies based in the UK but who deal with personal data from EU countries comply.

So what are the regulations that make up GDPR? Well they come under eight specific sections:

Consent:

The data subject’s consent means any freely given, specific, informed,

and unambiguous indication of the data subject’s wishes

• Where consent is relied upon for the processing of special categories

of personal data, explicit consent is required

• Parental consent is required for the processing of personal data of

children under the age of 16, unless member state law provides for a

lower age not under 13

The Right to Object and Profiling:

Data subjects have the right to object to processing unless the

controller demonstrates compelling legitimate grounds for processing

• Where personal data is processed for direct marketing purposes, data

subjects have the right to object at any time to the processing

• Data subjects have the right not to be subject to a decision-based

solely on automated processing — including profiling — unless the

data subject has given explicit consent, or where the processing is

authorised by contract or in law

Further, Processing NOT based on Consent

• Further processing not based on consent is allowed to safeguard

objectives such as national security; general public interests; the

protection of individuals’ rights and freedoms; or the prevention,

investigation, detection, or prosecution of criminal offences

• Any further processing not based on consent should consider: the

nature of the personal data; the possible consequences of the further

processing; and the existence of appropriate safeguards

Right to Erasure ("Right to be Forgotten"):

Data subjects have the right to request the controller to erase his or

her personal data without undue delay where: the data is no longer

necessary for the purposes collected; the data subject withdraws

consent; or the data subject objects to data processing

• Where the controller has made the data public, the controller shall

take reasonable steps to inform the controller processing that data of

the erasure request

One-Stop-Shop:

• Data controllers are regulated by a lead authority located in the

territory of their main establishment, although local authorities may

deal with local cases

• If a concerned supervisory authority objects to a lead authority’s draft

decision, the case shall be referred to the consistency mechanism for

a binding decision by the European Data Protection Board

• Any EDPB binding decision can be appealed to the Court of Justice of

the European Union

Data Protection Officers:

• Controllers and processors shall designate a data protection officer

where their core activities consist of the regular and systematic

monitoring of personal data or the processing of special categories of

personal data on a large scale

• The DPO shall act independently of the controller or processor,

reporting directly to the highest management level

Data Breach Notification:

• Controllers shall notify the supervisory authority of a personal data

breach without undue delay and, where feasible, not later than 72

hours, unless the breach is likely to result in a risk to the rights and

freedoms of individuals

• When the personal data breach is likely to result in a high risk to the

rights and freedoms of individuals, the controller shall communicate

the personal data breach to the data subject without undue delay

Administrative Fines:

• Infringements regarding obligations of the controller and the

processor may be subject to administrative fines of up to €10 million,

or 2% of worldwide annual turnover — whichever is higher

• Infringements regarding the basic principles of processing, data subject

rights, transfers of personal data, or noncompliance with an

order by the supervisory authority may be subject to administrative

fines of up to €20 million, or 4% of worldwide annual turnover—

whichever is higher

With this in mind where should do you begin? well first gaining visibility of where sensitive data is stored and processed within your organisation and who is using it and how is key, whether it is structured or unstructured data there are excellent tools and processes that can help you on the path to defining your organisations Data Governance Strategy and meet GDPR compliance.

For more information please feel free to contact info@elastability.net