Schedule a demo
See how you can maintain an inventory of GDPR-regulated data and provide regulators proof of 24/7 data monitoring, fulfillment of right-to-be- orgotten requests at endpoints, and policy enforcement.
Find GDPR-regulated data on any data source, in any location, and monitor it 24/7. Meet
data subject right to be forgotten requests and data minimization guidelines.
The General Data Protection Regulation (GDPR) is considered the world’s strongest set of data protection regulations. It unifies data privacy laws across EU member countries, and signals Europe’s firm stance on data privacy. GDPR was adopted by both the European Parliament and European Council in April 2016 and became enforceable as of May 2018.
The Regulation is far-reaching, covering every aspect of data usage, including collection, storage, retrieval, alteration, and destruction. It also creates personal liability for “controllers” and “processors” and establishes clear rights for consumers to take action if information is being abused.
Following Brexit, the rules no longer apply to data being collected on UK-based consumers. Personal data collected on residents of the UK are now subject to the 2018 Data Protection Act. However, in practice, the same core data protection principles, rights and obligations of GDPR still exist.
The GDPR applies to processing carried out by organizations operating within the EU. It also applies to organizations outside the EU that collect data from, advertise to, or serve residents of the EU, as well as businesses that process data in the EU.
For the GDPR to be applicable, businesses do not need to have European customers or be actively targeting European customers. Intention to offer goods and services (such as worldwide shipping, even without explicitly mentioning the EU), necessitates compliance with the GDPR – even without any economic activity.
The GDPR’s jurisdiction does not apply to businesses where the data controller is:
The GPPR defines personal data as:
“An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Although a full list is not provided, under the definition above, personal data is any information that relates to an individual who can be directly or indirectly identified. This includes: name, email
address, financial data, location information, ethnicity, gender, biometric data, religious beliefs, web cookies, political opinions – and any other personally identifiable data.
The in-depth guidelines for meeting GDPR compliance are organized around the following 7 principles:
Among other rules, the GDPR stipulates that businesses must:
Under the GDPR, “data subjects” have the following privacy rights:
In Article 83 of the GDPR, the EU outlines the infractions and administrative fines that are a part of the GDPR. Each country has its own independent Data Collection Authorities who use the criteria to determine the fine associated with an infraction.
The GDPR splits the infractions into two tiers, each with its own fine limitations:
Provide evidence to auditors of clear steps taken to secure the confidentiality of customer information and protect it against threats and unauthorized access.
Review the full guidance from the EU here.
In Qohash, sensitive, unstructured data is discovered, classified, and labeled, providing a complete inventory up to 50x faster than alternatives. Data is assigned a risk level and sorted so that remediation of data can occur immediately, ensuring that data protection
clauses are met.
Access control lists can also be generated for review. This provides insight into access control issues and other critical gaps so that steps can be taken to correct them. Additionally, Qohash provides insight into where data is moved and to whom once it leaves servers.
The GDPR’s Article 30 requires businesses to present all details of personal information collection, including where it’s stored. Meeting article 30 requires a clear map of all sensitive data and insight into data lineage.
Qohash provides a full inventory of GDPR-regulated sensitive data across every data source, a foundational step in conducting a DPIA and minimizing the risk of a data breach.
Easily access a control list for evaluation as to whether those with access have a legitimate business need for it. Gain insight into all sensitive data critical exposure points. See how much data is on business systems and who has access to it. Put policies in place, configure risk levels appropriate to the business, and receive notifications the instant policy violations occur.
Article 35 of the GDPR covers Data Protection Impact Assessments. DPIAs help minimizes liability and ensure best practices for data security and privacy are being followed. They also help avoid data breaches, which can trigger certain regulatory requirements.
Run keyword searches by name, date, credit card number, and more to find all copies of personal data across business systems. See which categories of sensitive data are stored on business systems.
Delete data directly within the platform to show compliance with data deletion requests in any location – including endpoints.
Article 17 of the GDPR states that individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’.
Enforcing a data deletion policy requires that businesses know what data is collected, where it’s stored on business systems, and when that data should no longer be on file.
Qohash maps petabytes of data. Once data is cataloged, create custom retention policies by tagging information to keep, setting up workflows that govern how long data is stored, and setting up notifications for when data should be deleted.
Article 5(1)(c) of the GDPR stipulates that businesses should only collect essential information and only keep it as long as it’s actually needed.