GDPR-Now or Later?

by | Oct 19, 2021 | Blog

Every person that encounters your business whether it is your client, customer, employee, and contractor bring a wealth of personally identifiable information (PII) that is their sensitive data. The company is responsible for safeguarding that sensitive data according to local and international laws.

A good example of such a law is the General Data Protection Regulation (GDPR), which is the toughest privacy and data protection law in the world, and it took effect on May 25, 2018. The GDPR was drafted and passed by the European Union (EU) but applies to any organization targeting or collecting data related to individuals in the EU. Many corporate data breaches worldwide led to the creation of GDPR. A key reason GDPR was created is that the corporation was ineffective at retaining, protecting, and auditing important business and client data elements. It is like the Basel regulations published in the 2000s.

In today’s competing requirements for data compliance, GDPR is another regulation that mandates your business to act to protect your customer’s data. Traditional data and content management controls have proven unable to meet the nefarious actions of a few. Both now and in the future, content analytics and unstructured data are essential for meeting data privacy regulations.

Do you currently know your unstructured data compliance RISK?

Identifying your risk for non-compliance:

GDPR policy is intended to protect personal data, regardless of the technology used for processing and storing the data. The regulation is technology-neutral and applies to both automated and manual processing, provided the data is organized in accordance with pre-defined criteria. GDPR does not care how the data is stored, in an IT system, through video surveillance, or on paper. In all circumstances, personal data is subject to the protection requirements detailed in the regulation.

In implementing the GDPR, Europe signals its strong position on privacy and security at a time when more people are entrusting their personal data to cloud services and breaches are on the rise.

How does GDPR define personal data?

Personal data is any information that relates to an identified or identifiable living individual. Name, address, and photos are among the types of data considered personal under existing legislation. Personal data, such as an IP address, can now be considered under the GDPR. The term also encompasses sensitive personal data like genetic data and biometric data, which could be processed to uniquely identify a person.

Data Dynamics’ Content Analytics Platform:

A Content Analytics platform from Data Dynamics identifies all documents in an unstructured directory or folder containing information from a personal data set or field. Once exposed, the user can mark documents as non-compliant. Using Content Analytics, the contents of a document can be inspected for personal data, and that document can then be marked as clear. In addition, Content Analytics provides the ability to move documents to quarantine for further processing.

Penalty for non-compliance:

A violation of the GDPR may lead to harsh fines of up to tens of millions of euros against violators of privacy and security standards. Fines and penalties imposed under Article 83 of the GDPR are flexible and scale with the firm. Nevertheless, GDPR fines and penalties are designed so that non-compliance by any business is a costly mistake and is based on the size of the company and the amount of data it holds.

There are two tiers of administrative fines that can be levied as penalties for non-compliance to GDPR:

  1. Up to 10 million Euros, or 2% annual global turnover – whichever is greater, or
  2. Up to 20 million Euros, or 4% annual global turnover – whichever is greater

In most cases, fines are discretionary rather than mandatory, and they are imposed on a case-by-case basis.

A Compliance standard for data at rest:

Often, data at rest is regarded as the safest type of data since it doesn’t go through internet transfers or is vulnerable to third-party security breaches. Cyberattacks may be prevented by firewalls and antivirus software, and hard drive encryption can prevent theft, but data at rest remains vulnerable to human error. Hence it is necessary to enforce security measures and safeguard your data. GDPR repeatedly highlights encryption and pseudonymization as “appropriate technical and organizational measures” of data security. By encrypting personal data, companies can reduce the probability of a data breach and, therefore, the risk of fines in the future. Both data in motion and data in rest can be protected with encryption.

Data Dynamic’s Content Analytics’ Platform can provide such an analysis for unstructured data. Companies can scan their unstructured data; Content Analytics’ Platform then determines the risk level associated with that data in a specific folder/directory. All encrypted files in a directory are marked “low risk,” while password-protected files are marked “medium risk,” and files without data-at-rest protection are marked “high risk.” During the data presentation, Content Analytics Platform will share data graphically and in a tabular form. At this point, customers can move the medium-risk and high-risk files to a quarantine area.

Search by keywords:

A keyword search engine in our platform allows you to look for names, personal information, etc. in the unstructured data.

The following are the use cases addressed by this functionality:

  1. Entering a customer’s full name or date of birth in this field will bring up a list of the documents containing that information. For instance, if the customer wants to see how many documents contain the field date-of-birth and the documents are stored in clear, they should type date-of-birth in the search field; the tool will provide a list of documents that contain this field.
  2. The platform allows you to search for documents in which a person’s name appears (e.g., John Doe) and returns a list of those documents. In this scenario, the customer could move the documents to a legal hold area or a to-be-deleted area, fulfilling the “right to be forgotten” clause of GDPR.

Conclusion:

With GDPR, individuals’ rights to control and manage their personal data are enhanced, and the regulatory environment for international business is simplified. Whenever there is a data breach, you must notify the data subjects within 72 hours or face penalties. According to the RSA report, 62% of respondents say they would blame the company for losing their data, not the hacker, in the event of a breach. Hence, GDPR must be implemented NOW to protect EU citizens’ personal data across EU member states.