If you are conducting business with the European Union, you will be required to operate within the General Data Protection Regulation (GDPR) framework. GDPR is the result of many WW corporate data breaches that have exposed sensitive personal information. Similar to the Basel regulations released in the 2000s, GDPR is the result of the corporation’s inability to effectively retain, protect and audit key business and client data elements. In today’s competing requirements for data compliance, GDPR is another regulation which mandates your business to act to protect your customer’s data. Traditional data and content management controls have proven unable to meet the nefarious actions of a few. Today unstructured data and content analytics is a MUST to meet data privacy regulations now and in the future.
Do you currently know your unstructured data compliance RISK?
IDENTIFYING YOUR RISK FOR NON-COMPLIANCE
GDPR policy is intended to protect personal data, regardless of the technology used for processing and storing the data. The regulation is technology-neutral and applies to both automated and manual processing, provided the data is organized in accordance with pre-defined criteria. GDPR does not care how the data is stored, in an IT system, through video surveillance, or on paper. In all circumstances, personal data is subject to the protection requirements detailed in the regulation.
What is personal data – Personal data is any information that relates to an identified or identifiable living individual. Random pieces of personal information, which can be collected together and can lead to the identification of a particular person, also constitute personal data.
Data Dynamics’ Content Analytics Platform powers the capability to ingest an unstructured folder/directory and identify all documents that contain a personal data set or field. Once exposed the user has the ability to mark documents as non-complaint. Content Analytics presents details about the personal data fields that were found in a document, and the document can then be marked as clear. Content Analytics also provides the ability to move a document to a quarantine area for further processing.
PENALTY FOR NON_COMPLIANCE
There are two tiers of administrative fines that can be levied as penalties for non-compliance to GDPR regulation
- Up to 10 million Euros, or 2% annual global turnover – whichever is greater, or
- Up to 20 million Euros, or 4% annual global turnover – whichever is greater
These fines are discretionary rather than mandatory. The fines are imposed on a case-by-case basis.
COMPLIANCE WITH DATA AT REST STANDARD
There are no explicit GDPR encryption requirements, GDPR does, however, require you to enforce security measures and safeguards. GDPR repeatedly highlights encryption and pseudonymization as “appropriate technical and organizational measures” of data security. Companies can reduce the probability of a data breach and thus reduce the risk of fines in the future if they chose to use encryption of personal data. Content Analytics provides such an analysis for unstructured data. Companies can scan their unstructured data; CA will determine the risk level of the data in a given folder/directory. Encrypted files within a directory will be marked as “low risk”, while the password-protected files will be identified as “medium risk”, and the files with no data-at-rest protection will be flagged as “High Risk”. CA will present data graphically and in a tabular form, where customers can move the medium and high-risk files in a quarantine area.
SEARCH BY KEYWORDS CS provides a keyword search engine capable of searching through your unstructured data to look for personal data fields, name of an individual, etc. Here are the use cases addressed by this functionality.
- Use case – Customer can enter name or date-of-birth in this field, and the scan will return a list of documents containing that field. For example, if the customer wants to see how many documents contain the field date-of-birth and the documents are stored in clear, simple type date-of-birth in the search field and the tool will return a list of documents with the date-of-birth field.
- Use Case – Customer can enter a person’s name (eg John Doe) in the search field, and the tool will return a list of documents that contains the person’s name. The customer could move the documents to a legal hold area or to-be-deleted area, which will fulfill the “right to be forgotten” clause in GDPR.