Learning Blog

GDPR Compliance: How EU’s Enactment Can Chew Us All



The General Data Protection Regulation (GDPR) is a set of new guidelines which the European Union plans to enforce from mid of 2018. The European Parliament, European Commission, and European Council intend to strengthen and unite data protection for the natives of European Union (EU). The regulation is currently in its transition period and is scheduled to be enacted on May 25, 2018. Once the GDPR is enacted, it would mean that one’s company, or for that matter of fact, every other company in the world would have to meet the guidelines of the act, failing which hefty fines would be levied.

The GDPR is scheduled to replace the Data Protection Directive 95/46/ec, once enacted information technology and security officials would need to keep their belts tight to meet the general conditions of the act, and ensure that they are compliant with it. The GDPR will apply to all states in the European Union (EU) as well as any company that deals with marketing goods and services to EU residents. This way, GDPR is bound to have a far-reaching impact on organizations across the globe. Hence, the misconception that GDPR will not impact countries outer than the EU market does not stand totally true.

The primary agenda of data protection regulation is that personal data should be only stored with the individual’s consent. Moreover, it should be stored for a limited time, specific to the purpose of storage. As a result of GDPR organizations are bound to face a lash over collecting, storing and handling data. Also, data storage systems can be potentially transformed using either protection by design or privacy by default.

 Complying with Rules of Data Storage

The main motive behind designing data storage solutions is to protect data and maintain its privacy. It is also important that proper security measures are in place so that data is protected. It must also be seen that clear rules are enforced regarding data access and proper authentication mechanisms for access to data that might be termed sensitive. Data must also be simultaneously audited while being uploaded and responsible authorizations be kept up to ensure that only appropriate and right data is granted access.

GDPR will also come as a big responsibility for IT professionals, as a part of active vigilantism would also be required to automate data access processes, and closely monitor reviewing, revoking and granting any new access. A mechanism to automatically detect sensitive data and analyze access should also be incorporated.

Another important factor is data portability and mergeability, solutions for these must be built as employees can opt out of their respective jobs and profiles. At this instance, organizations should have the ability to easily and quickly delete personal data.

Cloud as a Savior

To some extent, the GDPR begins to get interesting in relation with the cloud. GDPR also requires organizations to assess the benefits of on-premises versus cloud-based storage. If organizations are to use the cloud, it must be facilitated with the option to provide portability and the authority to erasure. Also, the entire environment must be kept under a single entry.

If by chance a cloud breach occurs, then both the cloud service provider and user organization are liable. Thus, following GDPR it is in the best interest of cloud service providers to ensure that their development, design, and offerings adhere to principles of data protection by design and default data privacy.

Understanding Data Volumes

The data of EU citizens shall also remain subjected to GDPR standards for those individuals or organizations who intend to process this data. Data processing would mean anything from obtaining, recording, disclosing, holding, using, deleting or mishandling of personal information. This in a broad shell can be understood as doing anything with personal information inside the company.

Moreover, organizations are also subject to GDPR if they hold data of individuals who reside in the European Union. Handling of data can be done by means of trading or offering services to any resident of the EU. Moreover, monitoring behavior of an EU individuals, say – by implementing website cookies on one’s site, can make you liable to these data protection laws. Altogether, one would need the consent of EU citizens to collect or use any information about them. In comparison to UK’s Data Protection Act. the territorial reach of GDPR is considerably broader.

To learn more about GDPR, join this webinar that explains the basics of GDPR and how it is going to impact organizations. The webinar covers basic aspects of GDPR, to whom does it apply, its territorial scope, and aspects of data protection.