One of the challenges of running an international business is satisfying the many regulations that differ among countries. Many of the members of the European Union have their own data protection rules, making compliance a challenge. The new EU General Data Protection Regulation (GDPR), which takes effect in May 2018, means companies will need to meet only one data protection regulation in the EU instead of 28 different regulations.
But while there will be fewer different rules to satisfy, the compliance mandate is more important than ever. The GDPR applies to data about EU residents no matter where the data is stored. In addition, the consequences of non-compliance are severe, with fines up to €20million or 4 percent of global turnover, whichever is greater. That means companies need to get serious about implementing GDPR compliance, rather than paying big fines.
The General Data Protection Regulation lays out rules about how companies handle and protect the personal data of EU residents. This includes any data that can identify an individual either directly or indirectly, wherever the data is stored.
There are 99 articles that fully specify the requirements regarding data collection, use, and sharing. In summary, the rules give individuals the right to control the use of their data; the fact that a company can collect data doesn’t give it the right to do so, and the fact that a person consented to data collection for one purpose doesn't give the company the right to use the data for other purposes. The rule requires companies to put in place processes for handling personal information and for handling any breaches of security around that information.
To satisfy GDPR, organizations need to:
- develop governance procedures and maintain documentation of compliance
- store personal data only as long as needed for the agreed-to usage
- protect personal data and report data breaches to the authorities within 72 hours
- allow individuals to delete or remove their data
Achieving GDPR Compliance
Companies will need to identify data stores holding personal information; implement security procedures, controls, and retention policies to ensure that data is protected and held only as long as required; and monitor access to data to ensure the GDPR is satisfied.
Identifying data stores that hold personal information isn't as simple as knowing which databases have customer names and account numbers. Besides those structured databases, customer information may exist in emails and other unstructured data stores. It's also important to identify not only where the data is stored, but also when and why it was collected.
In addition, in order to allow customer records to be deleted on their request, you need to be able to search both structured and unstructured data stores to find the information for a specific individual.
Both the requirement that customers can have their data deleted and that you can keep data only as long as you need it mean companies need the ability to manage backup copies of the structured and unstructured data stores as well.
Tools for GDPR Compliance
dcVAST offers full support for the suite of tools from Veritas, including Information Map, Enterprise Vault, Data Insight, and NetBackup, and can help companies get the insight into their data needed to meet the new GDPR regulations. Contact dcVAST to learn more about how GDPR will affect your data protection obligations and how you can use Veritas to be in compliance.