European Union General Data Protection Regulation (GDPR) - FAQ's
The GDPR challenge
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. The Commission’s primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. The new rules have the goal to harmonize and modernize the data protection rules within the EU. The main focus is transparency, documentation and the data subjects control and consent.
GDPR Impact Assessment
Organizations have to assess impact using sophisticated and robust data identification tools.
Impact is defined by the following challenges:
✓ Organizations required to continuously identify areas of high risk data processing, including, for example, monitoring individuals’ and data behavior.
✓ Internal regulatory inspection or compliance audits must be self-reported in some cases to regulatory authorities.
✓ Key challenge for organizations is finding where the personal data is being stored once it is collected
✓ Key challenge for organizations is finding where is the data that needs to be erased with respect to individual or data retention regulation
✓ Key challenge for organizations is identifying sharing violation of private data across geo-locations
The GDPR pain points VisionGrid™ covers
What data do we collect?
VisionGrid™ is a big data analytics platform for sensitive data automatic identification. It profiles sensitive data examples and classifies them into clusters of similar data that it discovers during its scan process. With a simple drag and drop GUI operation, a user can provide the system with a sensitive data example, and the system scans the file and classifies it to the appropriate cluster of similar data over VisionGrid™ data map. Doing that the user is focused on the relevant documents and can easily see (and later react upon) all the similar sensitive data across the organization, enabling him to control and monitor the private and sensitive data.
Are we gathering too much data?
VisionGrid™ shows exactly where all duplication, permutations and versions of the private and sensitive data exist in all corporate repositories and external cloud storages. It can also alert on sharing violation of private and sensitive data across geo locations (i.e. out of EU geography).
How do we process the data?
VisionGrid™ provides full information on the sensitive clusters including all the relevant properties e.g. last modify user, last modify machine, files types, files names etc. The system generates a report of outliers from a certain criterion e.g. outlier from designated location, user, time etc. The VisionGrid™ data map holds a textual taxonomy of text elements per all the textual documents in a cluster, this way a specific string can be searched. A sophisticated patterns recognition algorithms can automatically match between database tabular data and clusters and alert on data that is suspected to be either private or sensitive and multiple locations e.g. all documents (word, PDF, excel) that contain customers addresses and bank detail originated from the company’s CRM.
Request a Demo
GDPR Key points
The rules operate with 2 types of data, personal data and sensitive personal data.
- Examples of personal data: name, address, phone, birthday, education, job etc.
- Examples of sensitive personal data: taxes, social security number, race, ethnicity, religion, health information, sexual preferences, bio-metric data etc.
The rules apply to companies that process personal data. Processing the data includes: collecting the data, reading the data, editing the data, comparing the data, transmitting the data and storing the data.Companies may process personal data only to the extent that it is in accordance with the objective. Afterwards the company has to delete or anonymize the data.
- The data subject now has the “right to be forgotten”, right to limit the processing, the right to data portability and the right to object against profiling and direct marketing.
- Processing personal data requires valid implicit consent from the data subject. Example: Like checking a consent box when filling out a form online.
- Processing sensitive data requires valid explicit consent from the data subject.
- In according to the rules some companies have to hire a Data Protection Officer. It is mandatory for public authorities and those companies whose main activity is to process personal data. The DPO has an independent role and the job of making sure the company is in compliance with the rules, and that fitting technical and organizational measures have been implemented and that they are compliant too.
- Data breach has to be reported to the proper authority when detected. The company then has to account for where the data breach happened, what data was affected and whose personal data that was breached.
- In the case of data breach, the company also have to notify the people whose personal data has been compromised within 72 hours. Informing them about what kind of data that has been lost.
- If the data responsible company uses companies who also process the data in some way, there need to be a written agreement between the parties. This it to have control with the data and ensure that partners also are in compliance with the regulations.
- The fine for not following the regulations is quite high. Up to €20,000,000 or 4% of the worldwide company profits, whichever is the highest.
Rules have sharpened the demands for those companies who process data, and many companies are facing the huge challenge of answering the following questions:
1. What data do we collect?
2. Are we gathering too much data?
3. How do we process the data?
4. Do we need to limit the access to data (also for employees)?
5. What kind of technology/software do we use and how does it process data?
6. Are we sure that the data is not used for other purposes than the original purpose?
7. Are there systems who can help us being compliant with the rules?
8. How can we think privacy by design/default in to our company?
Statistics of US companies performing in the European market:
- 8% of US companies are planning to conduct a full audit of EU personal data manifestation
- 24% of US companies say “We likely will not be compliant by May 2018”
- 9% of US companies are planning to Use/maintain policies/procedures for the anonymization and de-identification of personal data
What are your budgetary technology priorities to ensure compliance over the next 12 months to address GDPR compliance?
22.8% will increase spending on Data Classification tools for GDPR compliance.