The General Data Protection Regulation (GDPR) is a set of provisions and requirements governing data protection and privacy for individuals across the European Union. It applies to any business or public body — inside or outside the EU — that handles the personal data of EU residents. Such data includes but is not limited to:
- Basic identity information
- Financial data
- Web data
- Biometric and genetic data
- Political opinions
- Trade union membership
- Ethnic origin
Essentially, GDPR requirements govern the way companies process and store personally identifiable information (PII). Businesses are encouraged to implement data protection “by design” and “by default” — they should design their operations to safeguard user data and privacy from the very start.
The regulation came into force in May 2018, and violations can result in steep fines and other penalties. While meeting GDPR requirements is critical for any organization that stores or processes the data of EU residents, there is no one-size-fits-all solution for maintaining GDPR compliance. Companies need to implement data privacy tools and processes suited to their unique needs, infrastructure and services.
Core Capabilities for GDPR Compliance
GDPR provisions can be grouped into two main categories: individual privacy rights and data security. Be sure the GDPR solutions you implement will help you cover all core capabilities pertaining to both groups.
Individual Privacy Rights
GDPR provisions concerning individual privacy rights are:
- Article 15: Right of access by the data subject
- Article 16: Right to rectification
- Article 17: Right to erasure (right to be forgotten)
- Article 18: Right to restriction of processing
- Article 20: Right to data portability
- Article 21: Right to object
- Article 22: Automated individual decision-making, including profiling
The primary technological capabilities required to address these requirements include:
Consent management is the process of ensuring that online services and websites obtain user consent for collecting data about them — via site cookies, for example — during their visit.
GDPR requirements allow organizations to collect and process a customer’s data only if that individual has actively confirmed their consent — by ticking an unchecked opt-in box, for example. Organizations assign responsibility to obtain the consent and manage relevant records to data protection officers (DPOs), who must be able to provide sufficient evidence to auditors that the organization has all the required consent.
To meet these GDPR requirements, look for a robust consent management software solution with the following features:
- Options for users to re-consent or change their cookie preferences
- Reports and dashboards
- Cookie whitelisting
- Real-time language detection and geotargeting
Information Management and Retention
Information management and retention involves identifying what data is stored and why, as well as setting a retention schedule — a fixed period of time for which records are retained.
GDPR requirements mandate that personal data is not kept for longer than necessary and that organizations set and follow policies standardizing retention periods. Individuals maintain the right to erasure of their personal data if the organization no longer needs it. However, personal data can be retained for public interest projects, such as “archiving, scientific or historical research, or statistical purposes.”
A solid records management and retention solution should include:
- Rule and workflow automation for common retention tasks (such as approvals, archival, transfer to storage and record deletion)
- Automatic destruction of records and documents past their retention period
- Auditing throughout the lifecycle of your records
- Configuration and enforcement of retention policies
- Automated records declaration, retention and holds
Data Subject Access Request (DSAR) Solutions
Data subjects have specific rights under GDPR, including the right to know exactly what personal data an organization has collected about them and to request that their information be corrected or deleted. They also have the right to see the organization’s privacy notice and supplementary information. DSAR software can help organizations handle such requests far more cost-effectively than they could with manual methods, and avoid penalties by meeting the strict deadlines for responding to DSARs.
Now that we’ve covered individual privacy rights, let’s turn to the GDPR provisions concerning data security:
- Article 25: Data protection by design and default
- Article 32: Security of processing
- Article 33: Notification of a personal data breach to the supervisory authority
- Article 34: Communication of a personal data breach to the data subject
- Article 35: Data protection impact assessments
To meet these requirements, look for GDPR compliance tools that offer the following capabilities. A software product you already own may deliver some of this functionality.
A Data Protection Impact Assessment (DPIA) is a targeted assessment of “the impact of the envisaged processing operation on the protection of personal data.” It documents the data that will be processed, the reasons the data is needed and the risks to the rights of data subjects.
A DPIA must be prepared before any data processing is carried out if your organization is:
- Tracking user behavior and/or location
- Utilizing new technologies
- Processing personal data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, health, or sex life or sexual orientation
- Processing personal data to make automated decisions that could have legal or other significant effects
- Processing children’s data
- Processing data that could result in physical harm to the data subject in the case of a leak
Failure to carry out a DPIA under the above circumstances can result in legal consequences, including fines.
A risk management solution should cover IT risk assessment, risk mitigation and vulnerability management:
- IT risk assessment: Includes detecting excessive access rights to user data and checking current configurations for security gaps
- Risk mitigation: Involves measures like implementing default configuration resets, adjusting security policies and revoking unnecessary permissions
- Vulnerability management: Includes gaining visibility into current configurations and conducting regular penetration testing to uncover more complex security gaps
Organizations must implement technical security measures proportional to the level of risk involved in their data processes. Sensitive data — like credit card information, passwords and identification numbers — should be encrypted. Encryption obfuscates data in order to render it unusable to potential hackers, which helps your organization avoid compliance penalties even if it suffers a breach.
A robust data privacy solution will offer encryption methods like:
- Tokenization: Replacing sensitive data with unique but unreadable identifiers
- Pseudonymization: Replacing personally identifiable information fields with pseudonyms (fake identifiers)
- Dynamic masking: Modifying a data stream to prevent a requester from gaining access to sensitive information
Data Discovery and Classification
Data discovery is the process of identifying all data across your systems, and data classification involves categorizing all data by type and purpose for processing. These capabilities help you understand what sensitive information your organization stores and handles so you can better plan and execute your security efforts.
To comply with GDPR, organizations are required to implement data discovery as well as measures like data profiling, taxonomies for data sensitivity and data asset cataloging. In order to classify data, companies may have to consider the following:
- Type of data (financial information, health data, government IDs, etc.)
- Basis for data protection (personal or sensitive information)
- Categories of data subjects involved (customers, patients, etc.)
- Categories of recipients (especially international third-party vendors)
Data Access Governance
Data access governance includes ensuring that the minimum number of people have the minimum level of permissions to access data. This is to keep personal data as safe and inaccessible as possible. Data access governance can help you set these limits and maintain visibility over who has access to what information.
User Activity Monitoring
Monitoring capabilities can alert you to unusual user activity that might indicate a threat so that your organization can respond immediately. This can help prevent a potentially disastrous data breach or compliance violation.
Data Loss Prevention
Data loss prevention (DLP) controls enable network administrators to control what data end users can transfer. This can help prevent data from being lost, misused or becoming vulnerable to unauthorized access.
DLP controls can also help organizations adhere to the Principle (f) — known as the “security principle” or the “integrity and confidentiality principle” — which requires data controllers to implement appropriate security measures to protect the personal data they store and process.
IT Infrastructure, Network, and Application Security
Organizations must ensure a level of security proportional to the risk involved in the event of a data breach. Real-time monitoring and auditing of the IT infrastructure can enable your organization to detect suspicious activity and unauthorized configuration changes across your networks and applications.
Security Incident Management
Data controllers have 72 hours after a personal data breach is detected to notify the relevant supervisory authorities of the breach, unless notifying authorities will further compromise the privacy of the data subjects impacted. A robust privacy solution will enable your organization to identify compromised data so it can notify supervisory authorities and impacted data subjects.
GDPR Compliance Solutions
The following compliance solutions can help your organization implement strong privacy management and meet other provisions of GDPR.
Individual Privacy Rights
The following software platforms can help your business comply with the individual privacy rights regulations of GDPR by offering consent management, records and information management, and DSAR processing.
- Netwrix’s DSAR solution: Netwrix’s DSAR solution enables companies to automate the data collection process — a crucial and resource-intensive step of every data subject request. Users can quickly search for and export personal data, and the solution enables non-IT teams to handle the process.
- ConsentCheq: This “universal notice and consent management service” includes clear notice of data collection as well as the gathering and logging of user preferences. Consent records can be accessed via a secure API. Industry-specific solutions address the needs of e-commerce, media, ad tech, internet of things (IoT), physical retail and hospitality.
- TrustArc: TrustArc offers a GDPR privacy platform that includes cookie consent management, individual rights management, privacy assessments, and a data inventory hub that allows businesses to create compliance reports and data flows.
Solutions that focus on data protection and security will help your organization gain visibility into your information assets, analyze flows of personal data, and support various methods to protect and encrypt sensitive data.
- Netwrix Data Security Platform: This Netwrix solution can help you meet the requirements of modern privacy and security standards through easy data classification and discovery, and control over changes and activity around sensitive data. It also enables you to easily identify overexposed data, misconfigurations in underlying systems and other risks in your infrastructure. As a result, you can strengthen security and compliance while seeing a strong return on your investment.
- AvePoint Privacy Impact Assessment (APIA) System: This assessment-based solution allows organizations to analyze flows of personal data to ensure GDPR compliance. It includes built-in workflows, a form-based survey system, automated reports, and support for security and vulnerability assessments.
- FileCloud: FileCloud enables organizations to meet GDPR compliance requirements across public, private and hybrid cloud environments with features such as PII search, information retention controls, anonymization, data encryption and data portability. It also enables secure management and sharing of sensitive data, and enables customers to request access to or deletion of their personal data.
- Aircloak Insights: Aircloak Insights offers an anonymized, SQL-based interface that enables organizations to conduct analytics while preserving user privacy and maintaining compliance with GDPR standards.
Governance, risk and compliance (GRC) tools — also referred to as enterprise risk management software — offer comprehensive risk and control management, risk analytics, vendor management and third-party risk assessments. While GRC tools are often equipped with a wide variety of features, they can also be costly and difficult to use.
- OneTrust: OneTrust provides GDPR-specific features such as incident reporting, a breach management workflow, vendor risk management, cookie consent, a data subject rights request portal, and operationalized data protection impact assessments.
- BWise GRC Platform: This risk-management platform provides solutions for internal audits, compliance management, internal control and information security. It helps organizations address compliance, reputational and financial risks.
While meeting GDPR standards might seem overwhelming at first, your organization can take proactive measures and implement a robust set of GDPR solutions. By prioritizing automation-friendly and cost-effective services, your company can ensure compliance while minimizing business disruptions and obtaining a satisfactory return on investment.