What are you looking for ?
Infinidat
Articles_top

What’s EU General Data Protection Regulation to Be Apply on May 2018 ?

How to be prepared?

EU General Data Protection Regulation (GDPR), replacing the previous Data Protection Directive, will definitively enters into application on 25 May 25, 2018 but is unknown by the majority of worldwide companies as it applies not only in EU.

Regulation, instead of directive, will be  applicable to all EU member states without a need for national implementing legislation.

A recent market report by Veritas/Vanson Bourne on 2,500 senior technology decision makers in 2016 across Europe, the Middle East, Africa, the U.S. and AsiaPac, reveals 54% of organizations have not advanced their GDPR compliance readiness because they don’t know about it but have with the risk for a maximum fine up to €20 million ($22.3 million) or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.

GDPR will not only affect firms within the EU, but extend globally to the U.S. and other countries, impacting any company that conducts business in the region or with an EU organization.

We write this article to explain what are these complicated rules not easy to implement. They will also drive a lot of supplementary storage which a good news for the hardware and software vendors.

The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business. The data protection reform is a key enabler of the ‘Digital Single Market’ which the EU commission has prioritized. The reform will allow European citizens and businesses to benefit from the digital economy.

Intended to harmonize data security, retention and governance legislation across EU member states, GDPR requires greater oversight of where and how sensitive data – including personal, credit card, banking and health information – is stored and transferred, and how access to it is policed and audited by organizations.

Everyone has the right to the protection of personal data
Under EU law, personal data can only be gathered legally under strict conditions, for a legitimate purpose. Furthermore, persons or organizations which collect and manage your personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law.

Every day within the EU, businesses, public authorities and individuals transfer vast amounts of personal data across borders. Conflicting data protection rules in different countries would disrupt international exchanges. Individuals might also be unwilling to transfer personal data abroad if they were uncertain about the level of protection in other countries.

Therefore, common EU rules have been established to ensure that personal data enjoys a high standard of protection everywhere in the EU. You have the right to complain and obtain redress if your data is misused anywhere within the EU.

The EU’s directive also foresees specific rules for the transfer of personal data outside the EU to ensure the best possible protection of your data when it is exported abroad.

In a white paper, Druva offer a 5-point plan to prepare your own systems to meet the new needs of these data protection regulations before 2018.

1. Audit your current approach to managing data, to establish your current position and processes around data protection
You should carry out an audit of all customer data sets that are held across the business. Setting up new processes or augmenting the existing approach will only be possible if all instances of PII are known about.

  • This audit will help companies understand current business processes that create or use customer data over time.
  • Include areas where customer data might not be adequately protected or managed at present, for example on individual employee IT assets. This audit will also help ensure that any changes to processes are put in place to meet future needs.

2. Prepare the lead contact within the business when it comes to data protection compliance
Just as the EU will have a lead Data Protection Authority in place to manage GDPR, so businesses will need to appoint a lead for data protection and security internally as well. This role will be within IT, but will involve collaboration with both other groups within IT as well as other business teams/units.

This person should have the backing of the senior management team, and the person who will provide evidence that rules are being followed.

  • This person can lead an effort to review backup, disaster recovery and archiving processes. Rather than running multiple tools for different tasks across the company’s data, consider a converged solution that enables a single view over the data, minimizing replication.
  • In future, you will have to track data creation and automatically apply appropriate rules for personally identifiable information and customer data sets..

3. Publish initial guidance to the business
Companies will have to make sure their internal teams are aware of their responsibilities in the same way. Revisit your existing business continuity policies and update them so they comply with GDPR. However, this policy document should also be shared with the rest of the business too. This awareness can help acceptance of any new processes as well as supporting any investment in new technologies.

  • The Data Protection Board will share information for businesses on meeting the requirements of the GDPRs ‘right to be forgotten’ rule. This will include where it is appropriate to delete data when customers ask for it, and where data can be legitimately kept after customers migrate away or no longer use a service.
  • Align your own data archiving processes to make this task easier. Companies in regulated industries may have to hold customer data for years, even when the customer may no longer be purchasing goods or services. In the event of a data deletion request, there may be overlap between data for archival and that used for customer records.

4. Consolidate to make protection easier
For many companies, data will exist across their operations and within various IT assets. Today, around 40% of company data never reaches the central IT platforms. To meet the needs of GDPR, it’s worth looking at how to manage all the data that involves customer information and where this can be reduced.

  • Protect data on mobile devices and in remote offices in the same way as information that is held centrally.
  • Encryption of data held on mobile devices is essential to protect customer data. This prevents issues if devices are lost or stolen leading to a compliance problem. If a device is lost or stolen, then the information on it should be wiped based on a command issued remotely too.
  • Alongside encryption of data on the devices themselves, companies also have to encrypt data centrally too. For companies looking at storing data in the cloud, control over that central data should be considered too. Look for encryption that ensures only the company can unlock the files involved.
  • Apply policy management across files matters too – this centralization of management can help ensure that all steps for compliance are followed automatically.

5. Plan for regular communication
To meet the needs of GDPR, communication between the IT team responsible for data protection and security, and other business functions such as compliance, legal and audit will be required.

Alongside this, you should think about communicating regularly with employees across the business to remind them around their roles and responsibilities for customer data.

  • Define a communications strategy around data and how it should be protected. This should be given to employees as they start, as well as provided to refresh people on their responsibilities too.
  • Alongside this, put together a communications strategy in the event of any data breach or data loss. As well as informing the local Data Protection Authority of the breach, the company will have to tell its customers and the wider public as well.
Articles_bottom
AIC
ATTO
OPEN-E