Drive GDPR sensitive data compliance

Find GDPR-regulated data on any data source, in any location, and monitor it 24/7. Meet
data subject right to be forgotten requests and data minimization guidelines.

GDPR Overview

The General Data Protection Regulation (GDPR) is considered the world’s strongest set of data protection regulations. It unifies data privacy laws across EU member countries, and signals Europe’s firm stance on data privacy. GDPR was adopted by both the European Parliament and European Council in April 2016 and became enforceable as of May 2018.
The Regulation is far-reaching, covering every aspect of data usage, including collection, storage, retrieval, alteration, and destruction. It also creates personal liability for “controllers” and “processors” and establishes clear rights for consumers to take action if information is being abused.
Following Brexit, the rules no longer apply to data being collected on UK-based consumers. Personal data collected on residents of the UK are now subject to the 2018 Data Protection Act. However, in practice, the same core data protection principles, rights and obligations of GDPR still exist.

The GDPR applies to processing carried out by organizations operating within the EU. It also applies to organizations outside the EU that collect data from, advertise to, or serve residents of the EU, as well as businesses that process data in the EU.

For the GDPR to be applicable, businesses do not need to have European customers or be actively targeting European customers. Intention to offer goods and services (such as worldwide shipping, even without explicitly mentioning the EU), necessitates compliance with the GDPR – even without any economic activity.

The GDPR’s jurisdiction does not apply to businesses where the data controller is:

  • Part of a government agency or law enforcement organization collecting data for crime prevention, investigation, or prosecution
  • Processing data related to defence, security, and/or public security
  • Processing data related to national interest (social, health, budget, national security, etc.)

The GPPR defines personal data as:

“An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Although a full list is not provided, under the definition above, personal data is any information that relates to an individual who can be directly or indirectly identified. This includes: name, email
address, financial data, location information, ethnicity, gender, biometric data, religious beliefs, web cookies, political opinions – and any other personally identifiable data.

The in-depth guidelines for meeting GDPR compliance are organized around the following 7 principles:

  1. Lawfulness, fairness and transparency: Individuals whose data is collected and processed (“data subjects”) must be informed ahead of time. To this end, organizations must make a clear and concise privacy policy available and get express content from consumers.
  2. Purpose limitation: Businesses must process data only for the legitimate purposes specified to the data subject when collected.
  3. Data minimization: Only as much data as absolutely necessary for the purposes specified should be collected – and all of it must be protected to the best of the businesses ability.
  4. Accuracy: Personal data on file must be accurate and up to date.
  5. Storage limitation: Personally identifying data may only be stored for as long as necessary to fulfill the specified purpose.
  6. Integrity and confidentiality: Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
  7. Accountability: The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

Among other rules, the GDPR stipulates that businesses must:

  • Assign a Data Protection Officer (DPO) who will oversee all compliance. The DPO must be reported to the responsible data protection supervisory authority. This individual will be
    responsible for managing data subject rights in a timely manner.
  • Regulate the responsibility between Controller of data and the Processor. For this business relationship, a Data Processing Agreement (“DPA”) is required. A DPA sets out rules for how
    the Processor may use personal data to fulfill the purpose of the commercial agreement.
  • Steps must also be taken to minimize the risk of a data breach, which is defined as the loss, destruction or unauthorized access to personal data. In the event a data breach occurs, processes must be in place to manage the breach within a 72-hour time frame. This may include alerting both the supervisory authority and individuals impacted.
  • Analyze possible risks and impacts on citizens’ rights for the intended use of personal data. Businesses must make a risk assessment if they will use personal data in a new and
    innovative way, changing cloud suppliers or creating new services. This process is called a Data Protection Impact Assessment (“DPIA”) and is set out in Article 35 GDPR.

Under the GDPR, “data subjects” have the following privacy rights:

  • The right to be informed and know what data is on file
  • The right to access to that data
  • The right to rectification, or to fix errors in their data
  • The right to erasure or deletion
  • The right to restrict processing
  • The right to data portability
  • The right to object to usage of their data
  • Rights in relation to automated decision making and profiling

In Article 83 of the GDPR, the EU outlines the infractions and administrative fines that are a part of the GDPR. Each country has its own independent Data Collection Authorities who use the criteria to determine the fine associated with an infraction.

The GDPR splits the infractions into two tiers, each with its own fine limitations:

  • Tier 1 violations carry a fine of up to 10 million euros ($10.5 million), or 2% of the company’s revenue from the prior year – whichever is greater.
  • Tier 2 violations are more serious and carry increased fines up to 20 million euros ($21 million), or 4% of revenue from the previous year, whichever is greater.

Qohash solutions for GDPR compliance

Provide evidence to auditors of clear steps taken to secure the confidentiality of customer information and protect it against threats and unauthorized access.

Review the full guidance from the EU here.

Meet Article 30

Qohash solution

In Qohash, sensitive, unstructured data is discovered, classified, and labeled, providing a complete inventory up to 50x faster than alternatives. Data is assigned a risk level and sorted so that remediation of data can occur immediately, ensuring that data protection
clauses are met.

Access control lists can also be generated for review. This provides insight into access control issues and other critical gaps so that steps can be taken to correct them. Additionally, Qohash provides insight into where data is moved and to whom once it leaves servers.


The GDPR’s Article 30 requires businesses to present all details of personal information collection, including where it’s stored. Meeting article 30 requires a clear map of all sensitive data and insight into data lineage.

Conduct DPI assessments

Qohash solution

Qohash provides a full inventory of GDPR-regulated sensitive data across every data source, a foundational step in conducting a DPIA and minimizing the risk of a data breach.

Easily access a control list for evaluation as to whether those with access have a legitimate business need for it. Gain insight into all sensitive data critical exposure points. See how much data is on business systems and who has access to it. Put policies in place, configure risk levels appropriate to the business, and receive notifications the instant policy violations occur.


Article 35 of the GDPR covers Data Protection Impact Assessments. DPIAs help minimizes liability and ensure best practices for data security and privacy are being followed. They also help avoid data breaches, which can trigger certain regulatory requirements.

Fulfill deletion requests

Qohash solution

Run keyword searches by name, date, credit card number, and more to find all copies of personal data across business systems. See which categories of sensitive data are stored on business systems.

Delete data directly within the platform to show compliance with data deletion requests in any location – including endpoints.


Article 17 of the GDPR states that individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’.

Meet the minimization principle

Qohash solution

Enforcing a data deletion policy requires that businesses know what data is collected, where it’s stored on business systems, and when that data should no longer be on file.

Qohash maps petabytes of data. Once data is cataloged, create custom retention policies by tagging information to keep, setting up workflows that govern how long data is stored, and setting up notifications for when data should be deleted.


Article 5(1)(c) of the GDPR stipulates that businesses should only collect essential information and only keep it as long as it’s actually needed.

Schedule a demo

See how you can maintain an inventory of GDPR-regulated data and provide regulators proof of 24/7 data monitoring, fulfillment of right-to-be- orgotten requests at endpoints, and policy enforcement.

Contact us​

Logo Qohash
By initiative
Regulatory compliance:
Find, classify and inventory all sensitive data, across every data source
Data breach prevention:
Monitor sensitive data 24/7, track data lineage, and enforce policies at endpoints
Microsoft 365
One easy-to-use platform to secure sensitive data on Windows workstations and M365
By regulation
Law 25
Why Qohash
Defy legacy limitations
What our customers say about us