We are all increasingly concerned about how our personal data is used and what measures are in place to protect it from falling into the wrong hands. As seen extensively in the media the EU has new legislation coming into force on 25th May 2018 called the General Data Protection Regulation, commonly known as GDPR.
The fines that GDPR may impose are significant, as discussed to death in the media. However, many people we talk to are quietly unconcerned, arguing that the number of notifications will overwhelm the regulators. History has shown us what is likely to unfold, as seen with other regulations, the regulators will be looking for a few companies where they can impose a big fine, in order to set an example for the rest of the industry.
Whomever is first on the regulators target will suffer significant setbacks, not only in financial losses but also in reputational damage. At this point, everyone else will become reactive to the regulation, making rushed tactical decisions that will cost more and not be as efficient, than had you taken the time to plan properly.
This with GDPR having been widely talked about in the media, with the message that all businesses that handle PII (Personally identifiable information) data on EU residents must be compliant by May 2018, many businesses have not put processes in place to ensure they are.
Some do not seem to be doing anything, while others are not doing enough. Some of whom may be thinking that as the UK is leaving the EU this legislation will not apply to them. It will. Regardless of the timeline for Brexit if you handle personal data on EU citizens (whether UK residents while we still remain in the EU, and/or residents in other member states), GDPR does apply to you. Additionally, the UK government has announced that UK data protection laws will be overhauled, the new “bill will transfer the European Union’s General Data Protection Regulation (GDPR) into UK law”.
Other businesses and organisations may not appreciate the amount of work that needs to be done to be compliant. Some of the key jobs to be done include:
• Discover and classify the data you have in your systems
• Perform Privacy Impact Assessments on all systems containing PII
• Perform Risk assessments for the rights of the individual whose data you hold
• Implement controls to protect the data, such as Pseudo-Anonymization
• Consent and Purpose Management
• Implement processes to enable the many “rights” given to the individual whose data you hold
• Monitor for, detect and Notify on Data Breach
• Sensitive Data Tracking
And others may be simply burying their heads in the sand and hoping they won’t be noticed…
Fortunately, the software industry has responded to the challenge GDPR presents to many businesses with solutions that will help them navigate this new regulatory environment, and become compliant.
Here at Burning Tree we have been talking to numerous vendors about their solutions and how they can help our clients easily address the key elements of GDPR.
We’ve partnered with Privacera who specialise in ensuring that data can be used by companies to facilitate innovation, decision-making and growth; without compromising on an individual’s right to privacy.
The table below outlines the key systems element of GDPR that companies need to comply with, and how Privacera’s GDPR solution helps:
| GDPR Topic | Detail | How Privacera can help? |
|---|---|---|
| Breach Notification and Data Security | GDPR states “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. GDPR requires controllers to notify the supervisory authority in the member state no later than 72 hours of a breach. | Privacera analytical module can precisely discover any malicious use or data breach of personal data across different systems and help in proactively stopping or limiting security breaches. |
| Affirmative Consent | GDPR requires the data subjects to provide explicit consent for the processing of their personal data. Data subjects also have right to withdraw the consent. | Privacera can integrate with consent collection systems and provide analytics on whether consent and purpose is being honored across data processing. |
| Profiling Limitation | “Profiling” refers to use of personal data in identifying preference and providing personalization. GDPR puts additional restrictions on using personal data for such “profiling” services, though it is restricted only to the automated processing of personal data. Data subjects have a many rights with regards to profiling, such as the right to object or avoiding profiling-based decisions. | Privacera can detect and monitor any automated processing of personal data and verify if data is used appropriately as per compliance regulations. |
| Right to be forgotten/Data Portability | RTBF probably is one of the controversial aspects of GDPR. The regulation now introduces the right for individuals to request deletion of their personal data. Data Controllers would need to delete any personal data related to an individual, based on the request or if the data is no longer needed. | Privacera can identify individual customer records based on a common identifier and can help data controllers precisely identify where a customer record is stored or processed. |
Ensuring that your business is GDPR compliant by 25th May 2018 is relatively straightforward with the right support. Doing it alone is likely to be a false economy for most companies, consuming large amounts of time and effort to ensure compliance.
Solutions like Privacera’s are quick to implement and will give you peace of mind that your business is compliant, and reduce the risk of those hefty GDPR fines.
To discuss your specific requirements in more detail and what solutions or strategies are most appropriate for your business, please get in touch. Call +44 (0)1252 843014 or email richard.menear@burningtree.co.uk
