On May 25, 2018, the European Union will begin enforcement of what is known as the EU General Data Protection Regulations (GDPR).
For many organizations, the GDPR compliance date is approaching like a freight train for any company that does any business with one of the 28 EU member countries.
The fines for non-compliance are punitive and can put your organization and overall system in legal jeopardy.
Many clients we’ve spoken to are not aware of how these rules will affect their business.
The goal of this post is first to explain GDPR, compliance requirements, and, most importantly, how you can avoid being fined.
Table of Contents
What is GDPR?
GDPR is a set of guidelines designed by the European Union to manage and control access to personal data. The regulations themselves are extensive and can be referenced at the EUGDPR website –https://www.eugdpr.org/
The core of the regulation deals with how organizations control and manage the personal data of EU citizens.
The rules dictate that you do not have to be located within the EU or have a presence in the EU, but if you employ, do business, or have online interactions with any EU citizen, then you will need to adhere to these rules.
Let’s assume that you are an online e-commerce site selling goods on the internet. If you receive an order from any of the 28 EU countries even once during a calendar year, then you are required by law to be GDPR compliant for the entire year or face fines.
As another example, you can be a services firm that provides data or services for clients in the EU.
If you store any data for any EU citizens, then you are bound by GDPR rules and will have to comply before the summer of 2018.
Given the borderless nature of the internet, any service or product provider could be affected by this rule.
Where is your data?
An important distinction and part of this rule is that you need to know where your company’s data is stored and processed.
If, for instance, you are using one of the popular cloud storage solutions, do you know where your data is stored?
Is it replicated in other countries for redundancy?
If so, you need to audit and validate before the deadline.
Destroy and Erase Data
Increasingly, many cloud and SaaS application providers do not have a process to permanently delete data from their systems and backup storage when a relationship with a client has ended.
This is something we always take care of when developing custom apps for clients.
One of the main tenets of GDPR is that you are required to delete data once your relationship with the client has ended or you no longer need access to that data.
This means this data has to be removed from your system, storage accounts and even archives and backups.
You need to have a system in place where that data no longer enters your production system.
Most modern applications, due to a variety of designs and foreign key constraints, do not fully delete the data from the data storage even if the data has been deleted from the user interface.
Most of these system perform a “soft delete” where your data disappears from the application, but continues to reside in the database.
This is clearly no longer acceptable under GDPR, and a company you need to set in place a plan to purge this information on a regular basis.
Additionally, users can extract data from the system in the form of reports or CSV files and store them either locally or on cloud services.
You will need a system to audit, locate, and destroy this data once users are deleted from the system.
This should always be further validated with testing and QA.
Organizational Responsibilities
As an organization, here are a few things you need to review.
Who Has Access to the Personal Data
Auditing and tracking all users who have access to personal data is the first step in the process.
Most organizations have a number of internal and cloud systems.
While there is likely a central directory such as Active Directory or LDAP, they are also likely subscribed to a variety of cloud services that might contain client data but are not part of the central directory.
Auditing and documenting all access to the data is a critical, yet time consuming step in the process.
This means documenting not only all data sources that contain user data but also the level of access each user has to that data.
Are They Authorized to Have Access
As part of your audit, you will need to document access to personal user information.
If using a directory, such as Active Directory or LDAP, then likely your organization is managing authorization via roles or groups.
Additionally, it is important to document user access to any external services that might contain personal user data.
Disclosures
Most firms will have to appoint a controller to oversee all personal data issues.
In case of a breach, the firms have 72 hours to report the issue to a supervisory authority.
The notifications must, at a minimum, contain:
- A description and nature of the breach
- Contact information of the officers in charge
- A detailed description of the likely consequence of the data breach
- A description of how a controller proposes to address and fix the data breach, including any mitigation steps
Tracking and Database Auditing
A number of modern applications, and many HIPPA compliant applications, have detailed auditing built into the system.
Auditing is about tracking the use of records in the database.
In an audited database each record “action” is logged.
This can be as detailed as which records were accessed, modified, or deleted.
With auditing, users can track, view, update, and delete all information in the system.
During an audit, a number of questions have to be answered.
Who has access to the system?
What was accessed and changed?
How did certain users gain access to the system?
Without detailed logging it would not be possible to answer those questions.
What this means is that you are likely not going to be able to answer those questions without upgrading your system to include detailed logging capability.
RelationshipS with 3rd Party Vendors
If you have any established relationships with 3rd party vendors, then all of those vendors have to follow the same rules and be bound by the same set of guidelines.
This will likely require frequent audits by your organization of 3rd party vendors and how they treat your client data.
At Daxima, we’ve been consulting companies on how to become GDRP compliant.
If you need help with system audits or the auditing process, feel free to reach out to us.
Conclusion
Ensuring GDPR compliance is crucial for businesses dealing with EU citizens’ data, as non-compliance carries significant legal risks.
Organizations must be aware of where their data is stored, how it’s handled, and who has access to it.
Effective data management practices, including regular audits and data deletion protocols, are essential under GDPR.
Internal and third-party relationships need scrutiny to ensure compliance across all systems.
For businesses needing assistance, Daxima offers comprehensive guidance on GDPR compliance and system auditing.