The General Data Protection Regulation (GDPR) is an upcoming regulation intended to enhance the protection of data from individuals residing in the European Union. It also addresses the export of personal data outside the EU. The core goal of the regulation is to enable individuals to have more control of their own data as well as harmonize the regulations across Europe. GDPR replaces the current data protection directive in EU which has been in place since 1995. The key difference from the earlier directive is stringent penalties that the regulation enforces
Key Facts about GDPR
Data when GDPR comes into effect
4% of Revenue
Maximum penalty imposed on infringements
Applies to any company processing EU data
Key Considerations with GDPR
Consent from data subject is the foundation of the current regulation. GDPR requires the data subjects to provide explicit consent for the processing of their personal data. Data subjects also have right to withdraw the consent. GDPR also specifies that controllers should get “explicit consent” for special categories of personal data as well as parental consent for processing data of children up to 16 years old.
Breach Notification and Data Security
GDPR states “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. The definition of breach is not restricted to exfiltration of the data. GDPR requires controllers to notify the supervisory authority in the member state no later than 72 hours of a breach.
GDPR also elaborates on data security requirements to protect personal data, including measures for pseudo-anonymization, efforts to ensure integrity, confidentiality of processing systems and ensuring access to personal data in case of system failure or physical event
With the advent of big data, there is a concern of using personal data to track preference for customers and enable personalization of services (data profiling). GDPR puts additional restrictions on using personal data for such “profiling” services, though it is restricted only to the automated processing of personal data. Data subjects have a number of rights with regards to profiling, such as the right to object or avoiding profiling-based decisions.
Right to be forgotten
RTBF probably is one of the controversial aspects of GDPR. The regulation now introduces the right for individuals to request deletion of their personal data. Data Controllers would need to delete any personal data related to an individual, based on the request or if the data is no longer needed. If the data has been shared with other companies, they would need to be notified of the individual’s request. The right to be forgotten will be widely discussed within IT teams on how it could be effectively implemented
"Personal data" means any information relating to an identified or identifiable natural person ("data subject")
Sensitive Personal Data
"Sensitive Personal Data" are a special category of personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation;
"Controller" means the natural or legal person, public authority, agency or any other body which determine how personal data should be processed
Some sets of data can be amended in such a way that no individuals can be identified from those data without a "key" that allows the data to be re-identified. The risks are lowered if the keys are stored in a different place than the data
The term"processing" in GDPR refers to anything that is done to, or with, personal data (including simply collecting, storing or deleting those data)
"Processor" means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
How can Privacera help?
Deep Data Discovery and Classification
Privacera discovery solution can continuously scan and identify for personal data as defined by GDPR. Privacera leverages machine learning and natural language processing to precisely identify sensitive data and update the metadata in a centralized store. This information can be used by other applications which need to know what data is stored where.
Customer Consent and Purpose Management
Privacera provides a centralised customer metadata store which can be used to store individual customer data and create a unique customer id that can be used to refer by different applications when processing personal data. An essential part of GDPR is individual consent, and Privacera can easily capture and store the consent for data processing as well as the purpose for which the consent is collected.
Sensitive Data Breach Detection
Privacera precisely identifies personal data at rest, and analyzes user behavior against such data. Privacera can detect and prevent unauthorized access, loss or copy of such data and create notifications that can be analyzed by the security teams. Breach notifications can be easily created based on the information provided by Privacera. Security team can also perform forensics on the audit data stored by Privacera
Tracking Sensitive Data
Privacera solution can track sensitive data as it is being accessed by users. Data can be moved or copied across locations, Privacera tracks the movement and transfers of data across the data environments and provides a visual flow of the data movement. The information can be used to assess whether GDPR or specific compliance regulations will apply to the data environments