Drive GDPR sensitive data compliance

GDPR Overview

The General Data Protection Regulation

The General Data Protection Regulation (GDPR) is considered the world’s strongest set of data protection regulations. It unifies data privacy laws across EU member countries, and signals Europe’s firm stance on data privacy. GDPR was adopted by both the European Parliament and European Council in April 2016 and became enforceable as of May 2018.

The Regulation is far-reaching, covering every aspect of data usage, including collection, storage, retrieval, alteration, and destruction. It also creates personal liability for “controllers” and “processors” and establishes clear rights for consumers to take action if information is being abused.

Following Brexit, the rules no longer apply to data being collected on UK-based consumers. Personal data collected on residents of the UK are now subject to the 2018 Data Protection Act. However, in practice, the same core data protection principles, rights and obligations of GDPR still exist. 

Businesses impacted

The GDPR applies to processing carried out by organizations operating within the EU. It also applies to organizations outside the EU that collect data from, advertise to, or serve residents of the EU, as well as businesses that process data in the EU. 

For the GDPR to be applicable, businesses do not need to have European customers or be actively targeting European customers. Intention to offer goods and services (such as worldwide shipping, even without explicitly mentioning the EU), necessitates compliance with the GDPR – even without any economic activity.

The GDPR’s jurisdiction does not apply to businesses where the data controller is:

Data types covered

The GPPR defines personal data as: 

“An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Although a full list is not provided, under the definition above, personal data is any information that relates to an individual who can be directly or indirectly identified. This includes: name, email address, financial data, location information, ethnicity, gender, biometric data, religious beliefs, web cookies, political opinions – and any other personally identifiable data.

Compliance requirements

The in-depth guidelines for meeting GDPR compliance are organized around the following 7 principles: 

1. Lawfulness, fairness and transparency: Individuals whose data is collected and processed (“data subjects”) must be informed ahead of time. To this end, organizations must make a clear and concise privacy policy available and get express content from consumers.
2. Purpose limitation: Businesses must process data only for the legitimate purposes specified to the data subject when collected.
3. Data minimization: Only as much data as absolutely necessary for the purposes specified should be collected – and all of it must be protected to the best of the businesses ability.
4. Accuracy: Personal data on file must be accurate and up to date.
5. Storage limitation: Personally identifying data may only be stored for as long as necessary to fulfill the specified purpose.
6. Integrity and confidentiality: Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
7. Accountability: The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

Among other rules, the GDPR stipulates that businesses must: 

• Assign a Data Protection Officer (DPO) who will oversee all compliance. The DPO must be reported to the responsible data protection supervisory authority. This individual will be responsible for managing data subject rights in a timely manner. 
• Regulate the responsibility between Controller of data and the Processor. For this business relationship, a Data Processing Agreement (“DPA”) is required. A DPA sets out rules for how the Processor may use personal data to fulfill the purpose of the commercial agreement.
• Steps must also be taken to minimize the risk of a data breach, which is defined as the loss, destruction or unauthorized access to personal data. In the event a data breach occurs, processes must be in place to manage the breach within a 72-hour time frame. This may include alerting both the supervisory authority and individuals impacted. 
• Analyze possible risks and impacts on citizens’ rights for the intended use of personal data. Businesses must make a risk assessment if they will use personal data in a new and innovative way, changing cloud suppliers or creating new services. This process is called a Data Protection Impact Assessment (“DPIA”) and is set out in Article 35 GDPR.

Under the GDPR, “data subjects” have the following privacy rights:

• The right to be informed and know what data is on file
• The right to access to that data
• The right to rectification, or to fix errors in their data
• The right to erasure or deletion
• The right to restrict processing
• The right to data portability
• The right to object to usage of their data
• Rights in relation to automated decision making and profiling

Enforcement and penalties

In Article 83 of the GDPR, the EU outlines the infractions and administrative fines that are a part of the GDPR. Each country has its own independent Data Collection Authorities who use the criteria to determine the fine associated with an infraction. 

The GDPR splits the infractions into two tiers, each with its own fine limitations: 

• Tier 1 violations carry a fine of up to 10 million euros ($10.5 million), or 2% of the company’s revenue from the prior year – whichever is greater. 
• Tier 2 violations are more serious and carry increased fines up to 20 million euros ($21 million), or 4% of revenue from the previous year, whichever is greater.

Six ways Qohash drives compliance

Breach identification

Monitor sensitive data risk around the clock and receive alerts the instant risky accumulation, deletion or exfiltration occurs. If an incident occurs, use keyword search to look up a specific data element and track the full data lineage, including the exact location where the data got out of an environment, where it ended up – every touch point in between.

Sensitive data inventory

Qohash provides a complete inventory of sensitive, unstructured data at-rest. Qohash discovers sensitive data 50x faster than alternatives, across any data source, in any location. Qohash provides labeling, classification, custom RegEx and keyword searches, plus ranked and contextualized risk.

Data deletion

Run keyword searches by name, date, credit card number and more to find all copies of sensitive data across business systems. See which categories of sensitive data are stored on business systems. See how specific data elements moved across employees and locations. Delete data directly within the platform to show compliance with data deletion requests in any location – including endpoints.

Risk assessment

A foundational step in conducting a risk assessment, Qohash provides an inventory of regulated data across every data source. It provides access control lists for evaluation as to whether those with access have a legitimate business need for it. Gain insight into all sensitive data critical exposure points. See how much sensitive data is on business systems and who has access to it. Put policies in place, configure risk levels appropriate to the business, and receive notifications the instant policy violations occur.

Policy enforcement

Qohash provides auditors with evidence that sensitive data is monitored and cross-referenced to employee interactions, enabling in-the-moment policy enforcement. Qohash looks into files to track data elements. It monitors those elements and cross-references them to employees and locations. Know the instant an employee has a risky interaction with sensitive data. Trace the lineage of any data element that moves onto workstations, for faster remediation.

Access control

Quickly create an access control list of all regulated data. Provide evidence of restrictions and show regular evaluation of whether those with access have a legitimate business need for it.