Even though the General Data Protection Regulation (GDPR) has been in effect for more than two years now, estimates suggest that the majority of companies have not yet reached GDPR compliance. With European countries enforcing the law with heavy fines and increased scrutiny, what can you do? Aparavi is always on top of data privacy compliance, and we’ve put together a convenient guide to help you get your company into compliance.
GDPR Compliance: Your Data Privacy Questions Answered
1. Who Is Subject to the GDPR?
While the GDPR was created by the European Union residents, the law’s scope is not limited to businesses that have offices within the EU. In a globalized world, this means that your business may still be subject to GDPR compliance, even if your business is located outside the EU, if your organization collects or processes the personal data of EU citizens and residents. So what happens when your business is located elsewhere, for instance in the United States? That’s where the specific targeting requirement comes in. Let’s have a look at what that entails.
Specific Targeting Requirement
The GDPR specifies that occasional or incidental collection of EU data does not necessarily mean that a company must automatically be GDPR compliant. Instead, there’s a specific targeting provision in the law that your company should consider.
For example, if you’re a pizza shop in New York City that takes orders online, it’s possible that your business could receive an order from an EU citizen and thus have their personal information. That would probably be a rare occurrence and no cause for GDPR alarm. Now, if that same pizza shop marketed itself heavily to tourists coming from the EU, perhaps sending them regular emails or providing coupons for EU customers when they visit the US, then the business would be considered subject to GDPR rules. If you have a top-level domain from an EU country, accept euro as payment, or provide alternate websites in languages specific to the EU, then it’s more likely that the EU will see your business as targeting their citizens.
2. How Much Does Business Size Matter?
Small and medium enterprises (SMEs) get a few breaks. Businesses with under 250 employees don’t need a data protection officer (DPO) or to keep records of how their customers’ data was handled unless data processing and collection is a regular activity of the company.
No business is fully exempt from GDPR compliance, however. If you’re collecting personal information and targeting EU citizens, you have to play by the rules.
3. What Kind of Data Is Protected?
So what data falls under the GDPR’s umbrella? Virtually everything does. Any personal information, defined as information that can be reasonably connected to an individual’s identity, can subject you to GDPR rules. Obvious personal info like names and addresses would qualify, but so do some less obvious cases.
For example, IP addresses are considered personal information since it’s possible to get the exact identity of the individual via the ISP. Even information published under a social media pseudonym would qualify since it’s linked to an email address which is also personal information. In short, just about any detail you can collect on a person qualifies.
The Aparavi Platform indexes all of your organization’s unstructured data across all storage locations, and allows you to search that file’s metadata or content, so you can find personally identifiable information or sensitive data with ease.
4. What Website Changes Should You Make?
If you haven’t already, you ought to get your web designers to update your website with compliance measures. One of the most important is a prominent, plain language notification of what data your website collects and how it does so. Article 12 of the GDPR outlines this requirement and it’s relatively easy to implement.
5. What Data Security Measures Need to Be Implemented?
Your company should make every effort to minimize the risk of exposing private data. To do so, use encryption on all of your files containing personal information. You can also anonymize these files by removing connections to actual individuals’ names or by deleting any key identifying information. You’ll also want to draft a data privacy and cybersecurity policy for your team members to follow. Most data breaches are not caused by clever hackers, but rather by employee error like enabling open access to sensitive or personal data.
Aparavi makes it easy to quickly locate GDPR data no matter where it lives within your organization. The GDPR and EU country-specific classification policies enable you to locate all personal or sensitive data that falls under the scope of the GDPR, so you can make sure that data is secure and not exposed to open access or other security concerns. In addition, by understanding what types of data you collect about your customers using Aparavi’s classification features, you will be better able to create and implement comprehensive data privacy and security policies within your organization.
In addition, Aparavi’s automation tools let you easily batch move, copy or delete files by classification policy, or add additional security features like encryption or anonymization with third party tools, enabled by our open API.
6. What Consumer Rights Need to Be Considered?
The GDPR grants consumers several rights, including the right to request that their personal data not be sold or transferred to third parties, as well as the right to have their data deleted upon request. They can also simply ask to see what data you have on their person.
This is where you need to implement solid data management practices. If you don’t know what data you have, you won’t be able to comply with these requests. If you can’t comply in a timely manner, the individual could raise a complaint and put you squarely within the regulators’ crosshairs.
The Aparavi Platform can operate as a powerful search engine to quickly find data related to a specific individual, no matter where that file is stored, respond to data access requests within the required time limits, and take action to comply with a deletion request or request for information under the GDPR.
7. What Happens in the Event of a Data Breach?
Should your company experience a data breach, the GDPR requires that you inform users within 72 hours. You also need to inform the data protection authority (DPA, not to be confused with data protection agreements).
Data breaches are becoming increasingly common and more businesses have been targeted in 2020 since more of our work has gone online. It’s imperative that your business have the ability to track data and know where it came from and what it contains. Data breaches can be mitigated or even prevented using smart data management.
Aparavi’s easy-to-use platform simplifies the reporting requirements under the GDPR, that require you to notify the EU office and specific customers of the breach. In the event of a data breach, you can use Aparavi to scan the compromised files to understand which customers’ information might have been exposed to the breach.
Smarter Platforms for Compliance
GDPR compliance may seem challenging, but it doesn’t have to be. The key to making compliance easy is to have a data classification tool that can identify data subject to GDPR regulations. That’s precisely what Aparavi can do for you. Our platform parses your data and can categorize it quickly, allowing you to easily apply the proper permissions and ensure that sensitive information never leaves your servers.
Visit our Data Privacy page, and check out the Data Privacy ebook to find out more about GDPR and other data privacy laws that may apply to your organization, and how Aparavi can make GDPR compliance a breeze.