Next year brings a major new compliance regime into effect in the European Union. The General Data Protection Regulation (GDPR) will be effective starting May 2018. The regulation places strict rules around the collection, usage, and protection of personal data, with large fines for companies that fail to adhere to the rules. The rules apply to all data about EU residents, wherever the data may be stored.
Getting ready for GDPR means putting in place policies and procedures that establish governance over the data, ensure it is only kept as long as needed, protect data against breaches and inform authorities when breaches occur, and allow individuals to request their data be deleted.
These five steps can help companies make the changes needed to comply with GDPR rules:
- Identify personal data stored by your organization.
Complying with GDPR requires knowing where you are storing personal data, along with who has access to it, why it was collected, how it's being used, and how long it is retained. This includes any personal data in unstructured formats, including emails, Word documents, forum contents, or any other format. Simply locating data stores can be challenging; it then needs metadata and classification to determine ownership and management policies.
- Make personal data searchable.
GDPR allows EU residents to submit a Subject Access Request (SAR) to any organization holding their data; in response, you must provide them with all data held about them. You must also correct or delete their data upon request.
Satisfying an SAR requires more than simply knowing where personal data is held; it requires the ability to search across all stores of personal data and finding, retrieving, and formatting the records related to a specific individual. It's important to note that you need to maintain an audit trail of all of these actions in order to comply with GDPR.
- Eliminate unneeded data.
The GDPR rules require you to keep data only as long as needed to fulfill the original purpose the data was collected for, and reducing the amount of data you store also reduces the risk and scale of any data breach. To effectively reduce your data, you need to understand why it was collected and any legal requirements for retention. You also need to be able to track copies of the data and ensure that they are managed and deleted when no longer required, as well.
You also need to be able to delete user information upon their request to satisfy the GDPR's "right to be forgotten."
- Keep data safe.
All data needs to be protected against unauthorized use by both unauthorized external and internal users. Data protection is mandatory, with encryption recommended. If a breach that causes risk to individuals occurs, it must be reported to regulators within 72 hours.
- Monitor usage of your data.
Data access must be monitored, both to enable detection and reporting of breaches and to maintain an audit trail to demonstrate compliance with GDPR requirements.
Software to Support the 5 Steps to GDPR Compliance
Effectively executing these five steps is challenging, and most companies will need to find new software tools to get the level of control over personal data GDPR requires. The suite of products from Veritas, including Enterprise Vault, Information Map, Data Insight, and other applications, can help companies effectively gain insight into the personal data they collect and apply the controls needed for GDPR compliance. To learn more about how Veritas products can help you satisfy the GDPR mandate, contact dcVAST.