When the European Union's General Data Protection Regulation (GDPR) came into effect in May, it made it more important than ever for businesses to know what data they collect and where it's stored. Satisfying several of the GDPR's mandates and avoiding significant fines requires having the ability to locate the information related to a specific individual. These rights include:
- The Right to be Forgotten
GDPR includes a right to be forgotten, formally called the "right of erasure." This means that any individual can request their personal data to be deleted at any time. Even if they've previously given permission for use of their data, they can withdraw that permission and the business must delete all related data.
- The Right to Review
Any person can request to review the data a business has collected about them. Businesses are required to respond to these "subject access requests" (SARs) within 40 calendar days.
- The Right to Rectification
If someone submits an SAR and identifies errors in their data, they can request the data to be corrected. Businesses are required to make the corrections within one month; if they've shared the data with third parties, they're required to notify the third parties of the corrections, as well.
Simply having data dictionaries and metadata that tells you what data is in your databases isn't enough to satisfy GDPR. The regulation applies to all forms of data, including unstructured data that isn't stored in a centralized repository. The regulation is also ongoing; in addition to knowing what data you have now, you also need a process to track and protect new data as it's collected in the future.
There are several steps companies can take to help them meet their responsibilities.
First, limit the amount of data you gather and store about EU subjects. With less personal data stored, your risks of failing to comply are greatly reduced.
Keep track of data shared with third parties. Your responsibility for that data does not end with the data transfer. Remember, you can only use personal data for purposes the individual agreed to, so you must be able to justify the sharing.
Understand how your organization is using cloud, and have a process to limit "shadow IT" use of unofficial cloud resources. Data that's widely distributed in the cloud is difficult to manage and search in order to satisfy user requests under GDPR.
Use eDiscovery tools to help you search your data. You need the ability to search through unstructured data, data stored on endpoint devices, and other "dark data" locations in addition to your centralized datastores. These eDiscovery tools will not only help with satisfying the rights listed above but also help you determine the scope of any breach and respond as required.
The eDiscovery Platform from Veritas has features to help organizations respond to SAR requests. Through integration with the Veritas Classification Engine, it can streamline the process of identifying user data relevant to a request and trigger actions to delete data when appropriate. Data Insight is another great tool to help you review and classify you unstructured data.
Contact dcVAST to learn more about the tools that can help you meet your GDPR responsibilities.