Achieve GDPR Compliance to Comply With EU’s New Data Privacy Law
GDPR Compliance is going to be an ongoing challenge for IT organizations around the world. What is the GDPR, and why is GDPR compliance so important?
We live in a world of extreme data generation and accumulation, fueled by our interaction with an increasing number of applications, systems and devices. The Internet of Things (IoT) is set to drive this data generation and accumulation exponentially further.
Security and compliance challenges arise whenever sensitive data is collected, analyzed, and shared, especially when shared data crosses organizational boundaries. In industries such as financial services and healthcare, industry-specific regulations such as Gramm-Leach-Bliley and HIPAA mandate that customer data be kept private and safe from tampering and unauthorized access, whether the data remains inside an organization or is shared externally.
But not all data privacy regulations are limited to specific industries. Some laws and regulations require all customer data to be protected, regardless of industry.
GDPR Compliance Explained
The most sweeping and consequential of these non-industry-specific data privacy regulations is the European Union’s new General Data Protection Regulation (GDPR). The GDPR was passed by the EU Parliament’s Civil Liberties Committee on April 14, 2016 and will take effect on May 25, 2018, becoming the law of the land in all 29 EU Member States.
Building on the EU Data Protection Directive (95/46/ec), the GDPR is a bold attempt to create a robust legal framework for protecting data privacy in the age of social media, geographically distributed cloud-computing services, and broad government surveillance. It affirms every EU citizen his/her right to privacy and establishes strict requirements for organizations collecting or processing the personally identifiable information (PII) of EU citizens.
Protecting Personally Identifiable Information for GDPR Compliance
The concept of PII is central to both the Data Protection Directive and the GDPR. Here’s how the GDPR defines this important term:
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Examples of PII include:
- A CRM database record with a customer’s name, address, and phone number.
- The IP address or MAC address of a citizen’s smartphone, tablet, or laptop.
- A passport number.
- A photo that can be used for facial recognition.
- A citizen’s post on a social media platform such as Facebook about politics, religion, or health status.
- Genetic or biometric data that can uniquely identify an individual, including fingerprints, signatures, voice recordings, and even patterns of keystrokes.
- A description that indirectly identifies an individual, such as “the company’s sales representative for the Paris region.”
By standardizing data protection across all member states, the GDPR affirms an EU citizen’s right to know what PII is being collected by other parties. It grants citizens the right to know why PII is being collected, how the PII is being used, and the purpose of its use. In most cases, the regulation also affirms citizens’ right to have their PII corrected or deleted.
To achieve GDPR compliance, enterprises collecting or processing the PII of EU citizens will need to be able to show that they are adhere to GDPR guidelines for handling PII. Note that GDPR compliance is required regardless of whether the enterprise collecting or processing the PII is located in the EU. GDPR compliance is mandated solely based on the nationality of the citizens whose PII is being managed.
Boards of directors, IT organizations, security teams, and compliance teams in global enterprise should be preparing now to achieve GDPR compliance. Failure to achieve GDPR compliance could result in steep financial penalties—as high as 4% of an organization’s annual revenue—and lasting damage to brand reputation.
Achieve GDPR Compliance with Secure File Sharing and Data Governance
To achieve GDPR compliance, enterprises need a comprehensive solution for customer data privacy, data security, and sharing PII. A failure to comply not only invites significant fines but also customer churn and brand erosion. Thankfully, the Kiteworks secure file sharing platform helps enable organizations to achieve GDPR compliance.
The Kiteworks platform provides an enterprise-wide layer of data security and control, integrating with and enforcing security policies for all on-premises and cloud-based content systems in the enterprise such as Microsoft SharePoint and OpenText as well as to cloud-based services such as Box, Dropbox, and Google Drive.
Security features include encryption of data at rest and in transit, role-based access controls, secure containers that protect private data like PII on mobile devices from unauthorized access and malware infection, and special controls, such as view-only content, that ensure that confidential content remains confidential. In addition, all content sharing in the Kiteworks platform is logged and monitored. CISOs and IT administrators can review user activity to ensure that PII is being accessed only by authorized users, ensuring compliance with regulations like the GDPR.
Because the Kiteworks platform is designed for enterprise-grade scalability and flexibility, it can accommodate any infrastructure strategy: on-premises, IaaS cloud, private hosting by Kiteworks, or any hybrid scenario. Nodes can be distributed across the globe to reach remote offices, ensure performance, and honor data sovereignty regulations. IT organizations can manage and enforce policies to protect data and ensure regulatory compliance, while trusted business users can manage select content and content-sharing to promote productivity and ensure the right level of trust.
To learn more about the Kiteworks platform and how Kiteworks can help your organization comply with the GDPR and other data privacy regulations, schedule a custom demo of Kiteworks today.
Additional Resources
- Glossary What is PCI Compliance Overview?
- Blog Post What is GDPR Data Sovereignty?
- Glossary What is IT Third Party Risk Management?
- Blog Post GDPR Compliant Email: What You Need To Know
- Blog Post Email & PCI Compliance: What You Need To Know