On 25th May 2018, the General Data Protection Regulation (GDPR) will come into force. By now, most of us in IT are familiar with the basic concepts, but a large number of organisations are still unsure about what steps they need to take in order to remain compliant.
What is GDPR and why is it being introduced?
The GDPR is specifically concerned with ‘personal data breach’: a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Such data breaches must be immediately reported, both to the authorities and the affected individuals.
The regulation defines ‘personal data’ to be any information relating to an identified or identifiable natural person (‘data subject’). It includes information that can be used to directly or indirectly identify the person: anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
To prevent the unintended identification of individuals, the GDPR recommends adopting methods for ‘pseudonymisation’ of data. Namely, processing personal data in a way that it can't be attributed to a specific data subject without the use of additional information. ‘Processing’ of data means any operation performed on personal data, such as collecting, recording, organising, structuring, storing, retrieving, erasing, or destroying.
The primary goal of the GDPR is to unify privacy laws across Europe, and provide greater protection and rights to individuals. The purpose of these laws is to strengthen and unify data protection for all individuals within EU. It also addresses the export of personal data outside the EU, which means it affects companies around the world.
Who does the regulation concern?
The GDPR applies to any business or entity that holds or processes personal data of individuals within the EU. “Personal data” is defined as any data which may be used to identify an individual, either directly or indirectly. The GDPR has a broad definition of personal data and includes genetic, biometrical, cultural, political, economic, social, mental and religious information.
The regulation applies to any entity that collects, stores and processes personal information of EU residents. Corporations who fail to meet the requirements that are stated in the GDPR may face substantial fines: up to 20 million Euro or 4 per cent of their annual revenues - for significant violations.
The GDPR distinguishes between two types of entities: controller and processor. A ‘controller’ is a person, public authority, agency or other body which determines the purposes and means of the processing of personal data. A ‘processor’ means a person, public authority, agency or other body which processes personal data on behalf of the controller.
Ok, so what will this actually mean for my organisation?
The GDPR contains a rather complex set of rules and guidelines, and it requires for organisations to perform a detailed analysis to fully understand how it will impact their working practices. The GDPR outlines specific responsibilities for controllers and processors of personal data.
To begin with, each entity must support the fundamental data subject rights: clear form of consent, the right to access data, the right for data portability, the right to be forgotten and prompt notification of breaches. In addition, controllers and processors must meet requirements derived from the “privacy by design” principle:
- Record keeping: each controller and processor must maintain a record of all categories of processing activities carried out.
- Pseudonymisation and encryption: all personal data must be pseudonomised and/or encrypted.
- Security and resilience: ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- Disaster recovery: the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- Testing and monitoring: a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
- Breach notification: a personal data breach must be notified without undue delay and, where feasible, not later than 72 hours
Got that. How on Earth do I begin to prepare then?
The GDPR outlines few broad principles for processing personal data. Generally, it requires processing to be fully secure, including protection against unauthorised/unlawful processing, accidental loss, destruction or damage. Entities who process personal data are required to adopt a “privacy by design” approach, which calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.
If you’re managing GDPR preparations, the first step to take is to identify a solution that can enable you to consolidate your distributed file data onto a private cloud. Increasingly, enterprises are adopting file services platforms that can support a wide range of IT use cases including storage, data protection, file collaboration, and more. With such platforms, files that were previously scattered throughout the organisation — on users’ workstations, laptops, mobile devices and file servers — are brought into a centralised repository, where they are subject to security and access control procedures.
Enterprise file services platforms can be used by both controllers and processors. In doing so, you will be able to bring scattered files, and crucially those containing personal data, under one umbrella. By storing these as encrypted files and by implementing role-based accessed control policies, you will ensure that users are fully authenticated to access data for which they have been given permissions to do so. Furthermore, stored data will need to be backed-up regularly and easily restored in the advent of a disaster.
A platform designed with security and privacy at the fore should offer a broad set of security features to protect sensitive personal data, such as:
- Authentication: a robust user-authentication method, including integration with AD/LDAP services. This prevents any unauthorised access to the central file repository
- Data protection: with built-in data backup/restore capabilities along with fine-grained snapshots. It fully protects against any accidental loss of personal data
- Disaster recovery (DR): built-in DR capabilities which can quickly restore personal data in the event of any system failure or facilities damage
- Data encryption: all data should be encrypted at rest and in transit
- Data privacy: data backed-up on the platform should be further protected by a passphrase, ensuring that only the person who owns the data can access it
- Data location control: you should have full control over their data storage location. No personal data may leave its intended location without proper directives
Failing to meet the GDPR requirements will have severe consequences for companies around the globe. The rapidly growing portion of ‘unstructured data’ kept in files is also subject to the GDPR guidelines. Considering this, companies should re-evaluate their abilities to meet GDPR guidelines and consider file services platforms as a means to solve any gaps in their data protection and governance capabilities.
A proper file services platform enables organisations to consolidate and centrally manage files that were previously scattered throughout the organisation, a key principle of meeting GDPR compliance by 25th May, as well as keeping compliant in the long-term. The platform’s built-in security capabilities, data protection, access control, logging and auditing enable you to elevate corporate file security to a whole new level, and ensure your organisation is ready for GDPR.
Jim Crook, Director of Marketing, CTERA Networks
Image Credit: StartupStockPhotos / Pixabay