Compliance is everybody’s business
SMBs must be just as concerned with compliance as enterprises.
The General Data Protection Regulations brought with it the need to implement certain changes in the IT processes of those businesses which need to comply. Here is a checklist of the steps you need to take to ensure better GDPR compliance:
Data identification and classification tools
Data encryption solutions
Identity and access management
Network security and preventing data breach
Security monitoring and incident response
Audit trails and reporting
GDPR is a comprehensive legislation which covers various aspects of data protection. Using a combination of technologies and solutions will help your company better comply with GDPR and avoid unneccessary fines.
Kerio Control provides a secure network perimeter with comprehensive protection securing data in multiple ways (secure connections for data transfer (VPN), intrusion protection, application filtering and control, gateway antivirus, and more). Kerio Control also provides detailed and custom reporting for compliance and alerts of suspicious behavior on the network.
With GFI LanGuard you can protect data within the network by identifying vulnerabilities and ensuring all assets within the network have all security patches in place. GFI LanGuard also provides centralized analysis and auditing with detailed reporting to evaluate the level of protection on the network.
GFI Archiver retains complete records stored in their original form in a secure, tamper-proof store for a predetermined period of time. Companies can create archiving rules and retention policies, determine access policies and use the advanced search features to quickly and easily find and retrieve data. GFI Archiver also includes audit-trail functionality that monitors database and user activity.
GFI EventsManager aggregates log data across the network for complete visibility of the infrastructure and compliance reporting. Additionally, GFI EventsManager can identify security and data breaches.
The GDPR supersedes the Data Protection Directive (Directive 95/46/EC), which had been the basis of European privacy laws since 1995. Like most governmental regulations, the GDPR is a complex document and in some respects, is open to interpretation. The intent of the legislation is to protect the privacy of EU citizens and standardize the laws across all EU countries.
The good news is that organizations have many tools at their disposal to help them carry out and document the steps that must be taken to meet the GDPR requirements, from identifying the personal data that must be protected, to securing it properly, managing it effectively, and tracking its flow and where, when and by whom it is accessed. It is important to note that this regulation applies to all businesses be they small to medium sized businesses or at an enterprise level.
Many organizations will be forced to change the way they collect, store, process and protect customers’ information. Companies who fall under the GDPR must assess their options and develop a compliance strategy. For example, you must decide whether to implement the same data protection measures for all personal data, or have separate data protection processes for EU citizens.
Some organizations will be required to appoint Data Protection Officers (DPOs). This applies to both controllers and processors when their core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale. It also applies to those who collect or process special categories of data or data relating to criminal convictions and offences. The DPO must be a qualified expert in data protection law and practices. The tasks of the DPO are laid out in Article 39.
The consequences of non-compliance with the GDPR can be severe; penalties vary depending on the nature of the infringement, but the maximum fine is the greater of 4% of annual global turnover or €20 million. To avoid this, companies worldwide are spending millions of dollars to meet the GDPR privacy regulations.
Identifying and classifying personal data
Implementing a governance plan for personal data
Establishing procedures for personal data management
Obtain consent prior to processing personal data (when consent is the basis for processing).
Provide data subjects with specific information at the time the personal data is collected.
Discontinue processing of personal data.
Restrict processing of personal data upon request.
Provide data subjects with a copy of their personal data upon request.
Protecting personal data through security measures
Take general and specific security measures to protect personal data.
Conduct testing, assessment and evaluation.
Notification, Records maintenance, and reporting
Provide notification of personal data breach to a competent supervisory authority.
Maintain a record of processing activities.
Carry out Data Protection Impact Assessments (DPIA).
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
This includes but isn’t limited to basic identity data (name, address,
phone number, ID numbers), biometric data, health and genetic data, web
data (IP addresses, location, cookie information, and RFID tag data).
Racial or ethnic data, sexual orientation, trade union membership,
political opinions and religious beliefs are classified as special
categories, or “sensitive personal data,” and are subject to additional
protections. Data rendered completely anonymous so that individuals cannot
be identified, directly or indirectly, is
excluded from the scope of the GDPR.
Pseudonymous data is different from anonymous data. Pseudonymisation may be a new word for many IT professionals; it means:
“The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”
Pseudonymous data is still considered personal data, but may require lower levels of protection.
The timeline has been established, and time is running out for companies to create a roadmap for identifying, classifying, managing, securing, and documenting the protection of such data by implementing solutions that can accomplish each of the GDPR’s requirements.
GDPR requirements may seem daunting but using a combination of standard protocols and technologies along with features and functionalities built into your operating systems and included by the cloud provider in your cloud services, as well as third-party solutions such as those offered by GFI and Kerio, you can more easily implement measures that will help you meet the swiftly-approaching deadline for GDPR compliance.