The resulting GDPR, approved by the EU Parliament in 2016, will completely replace the 1995 Data Protection Directive, increasing citizens’ control over their own data and giving EU member state regulators the power to prosecute well beyond the borders of the EU. The central provisions of GDPR focus on permissions and control. GDPR will replace our current Data Protection Act (DPA) and is designed to harmonise data protection legislation across Europe so that we all operate to the same standards.

Having just spent a great deal of quality time with attorneys, educating the legal community about the benefits of eDiscovery in the cloud, I noticed that there is still a proverbial elephant in the room—the European Union’s General Data Protection Regulation (GDPR). Next year, thousands of corporations will have to comply with a whole new set of data management rules prescribed by GDPR. While opinions and knowledge of the GDPR varied, three questions kept cropping up:

  • What is GDPR, and how can it impact my organization?
  • What do I need to do first?
  • How can I leverage the cloud to ensure compliance?

GDPR Explained

GDPR creates a unified set of laws and stricter regulations for EU citizen data processing, and it also specifies steep penalties for noncompliance. These penalties are in the form of administrative fines and can be imposed for any type of GDPR violation, including those that are purely procedural. Fines range from €10 million or 2% of global annual turnover to €20 million or 4% of global turnover.

The primary reasons for the new regulation are:

  1. To provide EU citizens with more power over how their own personal data is used
  2. To strengthen trust between digital services providers and the people they serve
  3. To provide businesses with a clear legal framework under which they can operate, removing any regional differences by creating a uniform law across the EU single market.

GDPR goes into effect on May 25, 2018—which leaves companies a year to prepare for drastic changes in how they handle the personal data of EU residents. Let’s explore what your organization can do to prepare for GDPR.

GDPR First Steps

Is your business subject to GDPR?
GDPR applies to a larger scope of organizations than did the Data Protection Directive (Directive 95/46/EC), its predecessor. Many businesses that were not subject to European privacy laws will, in fact, need to comply with GDPR. Here’s how to determine if you must comply:

GDPR applies to all organizations with a presence in the EU where personal data is processed during the performance of business activities—even a minimal footprint (such as having a single EU-based employee) suffices.

If a company without a physical presence in the EU is targeting EU residents to offer them goods and services, GDPR applies. “Targeting” includes using an EU language or currency, tailoring products to EU residents, or aggressive marketing within the EU. “Monitoring” is defined as tracking people online to create profiles or analyze and predict personal preferences, patterns of behavior, or attitudes.

Is your company required to have a Data Protection Officer (DPO)?
Different from a compliance officer or legal counsel, a DPO reports to the executive board and has the authority to monitor the company’s data processing. Organizations with 250 or more employees that handle sensitive data or criminal records must appoint a DPO. Organizations with fewer than 250 employees may or may not have to appoint a DPO, depending on whether they process sensitive data.

Are there processes in place to respond to requests to delete/amend/provide copies of data?
In addition to the rights prescribed by the Data Protection Directive—such as access to copies of data, the right to amend, and the right to restrict processing—GDPR also includes the right to online information erasure and the right to data portability (allowing people to transfer their data to another service provider). This means your company must develop thorough procedures to respond to these types of requests.

Does your company have an incident response plan that meets GDPR requirements?
GDPR includes a data-breach notification requirement. Data breaches are subject to a 72-hour notification of the supervisory authority if there’s a risk of harm to people. The affected data subjects also must be notified without “undue delay.”

What are your organization’s data transfer mechanisms?
If your company hasn’t determined how personal information is transferred from the EU, it’s a good time to examine your transfer mechanisms, as they are subject to administrative penalties. If your organization transfers data from the EU to the US, your options are:

  • privacy shield certification
  • execution of the model clauses
  • binding rules for intra-company data transfers

It seems the common threads in all these requirements are the allocation of more resources for data protection and governance, and a more proactive approach to privacy and security.

Druva, the Cloud, and GDPR
Offering the only cloud-native data protection SaaS on the market, Druva solutions address compliance with regulations such as GDPR head-on using the power of the public cloud:

  • Data visibility: To secure information and be compliant with GDPR requires visibility into where data lives. Druva provides the ability to protect, collect, and monitor data on endpoints, servers, and in cloud applications. This broad visibility gives you a real understanding of your company’s overall data attack surface, and it delivers actionable insight into how to deploy GDPR-compliant security mechanisms.
  • Information governance: Traditionally, data governance focused on forced data centralization, which provides visibility only into information that is stored centrally. The decentralization of data creation on mobile devices and cloud apps means companies must approach governance differently. Druva allows you to centralize your data-source policy management and enforcement to bring in de-centralized data in a way that’s compliant with GDPR.
  • Continuous data monitoring: GDPR requires data processors to monitor the security of their information no matter where it lives. With Druva, you’re able to automate proactive monitoring for compliance violations, regardless if that data is on a traditional endpoint or in a cloud application.
  • Secure transfer: With GDPR, security follows the data of all EU citizens, no matter where that data resides. Druva uses industry-leading, standards-based TLS 1.2 and AES 256 encryption with unique customer keys, paired with simplified and integrated key management. Druva can also prevent data from leaving the EU, in the event that you’ve not yet established acceptable transfer mechanisms.
  • Right to Be Forgotten/Right to Erasure: One of the major provisions and challenges facing organizations with GDPR is how to erase information at the request of EU residents in order to prevent any subsequent data process. While there are some caveats with this provision of GDPR, any lawful requests for erasure must be handled in a timely manner. Druva provides defensible deletion capabilities that enable you to comply with erasure requests—including a complete audit trail to prove the information was deleted.

Druva blog content originally published on the GDPR Report

Recommended Reading

Obelisk Support consultant Alisha McKerron Heese provides some advice on how data processors can comply with upcoming GDPR legislation.

We are fast reaching the countdown phase for the General Data Protection Regulation (GDPR) which comes into effect in just over six months on 25th May 2018.

Preparing for GDPR is a complex process which requires far more than merely updating your processing agreements and fulfilling your contractual obligation. While the regulations stipulate that certain provisions be inserted in processing agreements (art. 28(3)), they do not stop at that. For the first time, statutory data protection requirements (which previously only applied to data controllers) will place direct obligations on you as well. This enables data subjects to enforce their rights directly against you. Non-compliance is also more severely punished, through significantly heavier fines. To be precise, under the current law, the maximum fine the Information Commissioner can impose is £50,000. Under GDPR, however, that fine can be anything up to 4% of an organisation’s annual worldwide turnover, or 20,000,000€, whichever is largest.

So, what are these new requirements and what steps should you take to ensure that you will be compliant from 25 May 2018?

#1 Review Existing Processing Agreements

Your processing agreements must be GDPR compliant. This means that you have agreed to:

  1. Process personal data only after documented instructions from your client
  2. Ensure that all of your employees who are authorized to process personal data have committed themselves to confidentiality
  3. Take appropriate security measures (see step 3 below)
  4. Engage sub- processor correctly (see step 6 below)
  5. Help your client(s) to respond to requests by data subjects who are exercising their rights
  6. Help your clients to meet their compliance obligations (relating to securing personal data, data breaches, data impact assessments, and consultations with the supervisory authority)
  7. At the choice of your client, delete or return personal data
  8. Allow for and contribute to audits conducted by your client.

More details here.

Is Gdpr Coming To Usa

#2 GDPR Compliance Accountability Procedures

You must have determined if you are required to maintain written records of categories of processing activities (art. 30). This requirement originates from the accountability principle (art. 5), a re-occurring theme throughout GDPR which puts the onus on you to be responsible for, and to demonstrate compliance. Information which must be captured includes details of any other processors, your client’s details and those of Data Protection Officers (DPO), categories of processing, details of transfers to third countriesand a description of general technical and organizational security measures (art. 30 (2)). These records must be provided to the supervisory authority on request.

If you employ 250 employees or less, you will be excluded from this requirement provided that the processing does not pose a risk to the rights and freedoms of individuals, is not more than occasional, and does not include special category data.

Note: Special category data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, and biometric data or data concerning healthor data concerning a natural person’s sex life or sexual orientation (art. 9(1)).

#3 Data Security

You must have appropriate security measures – referred to as appropriate technical and organisational measures (art. 32). If you are wondering what appropriate technical and organisational measures means, you are not the first. No definition is provided by the regulation, thereby putting the onus on you to decide. You must consider a variety of factors: the sensitivity of data, the risks to individuals associated with any security breach, the state of the art, the costs of implementation and nature of processing.

This requires you to have a comprehensive understanding of your systems and the type of data processed. While they can vary, appropriate measures include pseudonymisation and encryption of personal data. Regular testing of any security measures is also required where appropriate. This will enable you to detect any weaknesses and pick up any problems quickly which is particularly important in the event of a breach.


More details here. Asus zenfone max pro m2fxfasr.

Gdpr Is Coming

#4 Data Breach Notification

You must be able to detect data breaches and notify the controller without undue delay upon becoming aware of a breach (art. 34). It may be in your interests to clarify in your processing agreement (if you have not already done so) when delay may be undue as this is not made clear in the regulation.

More details here.

#5 Data Protection Officers

You must have a DPO if required, although you may have one even if not required. A DPO is required if you are a public authority, if processing requires regular and systematic monitoring of data subjects on a large scale, or if your core activities consist of processing large scale special categories of personal data. A DPO’s primary role is to independently advise you on compliance with the GDPR, and they are the contact point for any data subjects and for the supervisory authority.


More details here.

#6 Reviewing Use of Subcontractors

You must have prior specific or general written authorisation from your client ifyou enlist another processor or replace a sub-processor (art. 28(2)). You must reflect the same contractual obligations you have with your client in a contract with any sub-processor and shall remain liable to your client for the action or inaction of any sub-processor.

#7 International Transfers

Is Gdpr Coming To The Us

You must ensure that you have appropriate safeguards for any transfers of personal data to a third country (in the absence of an adequacy decision) and that the data subjects have enforceable rights in that country with respect to the data. This is your decision to make, and is independent of any instructions from your client with regards to data processing.

Gdpr Is Coming 2019

More details here.

Making your processing agreement GDPR complaint is just the start. The steps outlined above are by no means an exhaustive list, but should hopefully assist you in your journey to becoming GDPR compliant. Not long to go before the clock stops ticking!

Coments are closed
Scroll to top