seers-logo-1.svg

How to get GDPR Compliance

Perform GDPR Audit for Free

The entire world, including Europe, is looking toward strong and unified data security under the General Data Protection Regulation (GDPR). Especially regarding exporting personal data to countries not in the EU, with GDPR Compliance now an essential consideration for businesses.

The fundamental objective that drives the GDPR is to give back control to individuals as to how their personal data is managed and used. The GDPR brings consistency and conformity to previous and existing European data protection laws.

Requirements for GDPR compliance

GDPR compliance results in extensive consequences for organizations and businesses worldwide including countries such as the U.S where the safe harbor provision is now invalidated. This means that such U.S. businesses that deal in the transfer and handling of personal data of European individuals will be compelled to comply with the GDPR or suffer the consequences.


Any breaches of data regulations or non-compliance under the GDPR will depend on their severity, but you will need to be aware of actions to remedy such breaches:

gdpr compliance
  • Your establishment will be required to notify the relevant GDPR data protection authority together with the owner, individual or individuals whose data has been breached.
  • Depending on the severity of the breach, there is the likelihood that your establishment may receive a GDPR fine of up to €20 million or 4% of annual turnover (whichever is higher).
  • There are some exceptions to this under the GDPR and will be based upon whether there were adequate security measures in place.

Encryption

A security measure to prevent unauthorized access such as encryption that renders data unintelligible will not be required to notify data owners.  The risk of the likelihood of financial penalties is lowered if you have been subject to a security breach. The GDPR only mentions encryption in passing, but the benefits of encryption with regards to GDPR compliance will be an unavoidable reality to ensure the safekeeping of data & GDPR compliant policies.

Basically, encryption turns data into an unintelligible version of data, which can only be decoded by decryption.  The actual basis of encryption comes from cryptography same as transactions using the blockchain model. In view of the GDPR and the question of compliance, the encryption of data whilst not mandatory is a valuable data protection method.

GDPR compliance is predicated on 7 key principles. We can break these down to improve your understanding of the subject by highlighting what each of these principles entails. 

These are as follows:

  1. Lawfulness, fairness and transparency
    • This refers to the requirement of the GDPR that all collected, processed and stored personal data must be lawfully collected, stored, used, and processed. The personal data must not be used for illegal or unlawful purposes. The usage must be fair and transparent.
  2. Purpose limitation
    • This means that the personal data to collect must be limit in terms of its purpose. The data is only for the purpose it was collected for. Or else, new consent must be extracted for its prolonged and repurposed use.
  3. Data minimization
    • This refers to the requirement that all data must limit in terms of the amount collected. Any organisation that is collecting and processing personal data must ensure that it is only collecting information that is absolutely necessary for the functioning of the project. Any personal data that is not in need should not be collected or stored. 
  4. Accuracy
    • The collected personal data and its processing must be accurate and not misleading in terms of the message. It should not twist to suit the needs of the collector.
  5. Storage limitation
    • All personal data is time-limit and erase after a period of time. This is pre-define and follow through securely.
  6. Integrity and confidentiality (security)
    • The integrity and confidentiality of the data content and the data subject upheld through adequate anonymity and encryption measures.
  7. Accountability
    • This means that the personal data subject is able to request the use of the data and the organisation collecting the data is able to arrange for the request in a timely fashion.
gdpr compliance

Above principles

The above principles are broken down into actionable and achievable goals. Seers has developed a simple route for GDPR compliance. The assessments & certifications tool kit can identify the key risks and a recommendation to mitigate these risks.

However, many businesses that erroneously think encryption is necessary and that are conn into purchasing encryption software solutions fail to see the fact that it is not. Although it is not technically necessary, it is a good idea to use encryption to secure data since in the future, data protection, GDPR compliance, and ePrivacy will all expand further as and when breaches occur and new technologies develop.

Encryption has to deem an important weapon against security breaches as essential advancements in data protection grow alongside. Looking at what actually states about encryption (albeit on only four occasions) for GDPR compliance in the following provision: 

Pseudonymization

Businesses that wish to store or manage personal data in any way are now subject to very strict controls owing to the GDPR, it is the most comprehensive overhaul of the privacy legislation in EU history.  It has a far-reaching impact on all businesses and industries, from banks and hospitals to corner shops and fitness centres, all of whom must ensure that their businesses are compliant under the GDPR.

There are many ways to protect not only your customers, employees, and any third-party whose personal information you hold, but also your business from incurring huge penalties.

  • Pseudonymisation is the replacement of identifiable data such as names and addresses, dates of birth with other data which, although looks similar, does not reveal personal information about a real individual.
  • Pseudonymisation is very helpful to organisations who wish to collect personal data for surveys and statistics but no specific information about individuals and preventing such organisations from falling foul of the GDPR.
Banks

Banks are utilizing this concept aptly. A good example is Dutch bank Rabobank which accurately utilize the pseudonymization to develop a modern payment system using IBM’s cryptography software called “High Assurance Desensitization Engine”, (The very name of the piece of software should bring peace of mind to organizations who wish to cherish the data of its customers).

In this way, the collection of essential data such as names, dates of births and account numbers using the pseudonymization method to build payment forms enabled the bank to transform its existing software rather than develop new software. IBM’s software works by replacing data with strings of numbers and letters with keys and hashes that behave in a similar way to the original data when running through the bank’s original software.

The bank holds the only key to the original data, which uses to regenerate the original data.

Pseudonymisation is a tool that allows companies to process personal data in such a way that it ensures that they comply with the GDPR and protect them from incurring penalties.

Trusts

Truata, a financial trust company set up by IBM and Mastercard acts as a conduit for third-party businesses who wish to analyze and establish that they comply with the General Data Protection Regulation (GDPR)

A survey report by Solix has revealed that less than 50% of firms cannot assure that they were GDPR compliant before May 25th, 2018. With personal data being an integral component of most businesses and the key to successful marketing and advertising, it is essential that there is an element of control, more so than mere adblockers!

Truata

Truata, therefore, has set itself up as an independent compliance analytical provision entity. It is receiving some interest from mainly larger companies. The way in which it works for clients is that an online company may pass its customer list to Truata, firstly anonymizing the list using IBM technology so that the list may then be store and analyze by Truata.

There are many options with regards to analytical reporting of the data, including Truata analytical front-end tools or an interface, which allows the client to carry out the analytics themselves.

There have been speculations about moving personal data outside the parameters of an organisation. Thus risking privacy breaches, and the very antithesis of the GDPR. But IBM is keen to expel these reactions by emphasizing that the trust acts with the utmost security in mind. It stresses that it conforms to the guidelines set down by the Article 29 Data Protection Working Party.

Pseudonymization

A tool named pseudonymization allows companies to process personal data. It ensures they comply with the GDPR. Also, free them from the strict privacy restrictions that previously would have disallowed this method.

  • Data-at-Rest. Including personal data in storage, archives, reference files, files stored on hard drives, servers, storage area networks, or files on backup service providers that are off-site.
  • Data-in-Motion. Including email or any types of transportation of personal data.
  • In addition to protection by encryption. There has to be in place a strong element of management to protect not just the encrypted data but to prevent any unauthorized retention.
  • Businesses will require to substantiate the legitimate identity. Activity of an individual and verify that the organisation has strict security controls. Also in line with the GDPR compliance management requirements.

Articles 5, 25 and 32 of the General Data Protection Regulation (GDPR) clarify that only authorized users may access personal data. For GDPR compliance, businesses need entire control of any personal data.

Businesses urge to ensure that personal data is maintain in an illegible state. And encryption is one way to ensure this.  The GDPR compliance requirements can meet by this simple method of control, which prevents identifying individuals through their personal data.  Also, the manipulation of personal data prevents encryption when properly used.

gdpr compliance

Multi-Factor authentication

Further security methods recommended for GDPR compliance for your organisation include the “multi-factor authentication” method, or “MFA”.  Already very popular with applications such as Facebook and Google, refer to as the “two-step verification”. Proponents of this MFA method of identification argue that by only password verification, online fraud and identity theft greatly reduces.  There is no denying that MFA is far more superior when it comes to security.

However, some companies do not like the fact that it may deem as an arduous burden for the end-user. There are flexible and adaptable solutions such as biometric authentication methods, which do not compromise business activities.

Biometric authentication (GDPR compliance)

Biometric authentication entitles an individual’s identity to authenticate based on specific data unique to that individual. It is estimate, almost 90% of firms will be using biometrics by 2020, according to a recent survey by Spiceworks.

The new trend in this sophisticated method of authenticating individuals has caused some controversy. Especially in line with the recent launch of Apple iPhone X’s facial recognition functionality.  Fundamentally, the question is “Who are you?”

The question then begs, “How to protect such sensitive and private data”?  As such, the General Data Protection Regulation (GDPR) has brought even stringent protection of biometric data. GDPR has provided a definition that will cover all eventualities for compliance. By defining biometrics in as broad a sense as possible. They are ensuring, this type of data is subject to stringent data processing control.

After all, the data is very personal; it involves a

  • A photo of a face.
  • A record of a voice.
  • An image of a fingerprint.

    This will compare to the biometric data of a multitude of other individuals stored in a database. Very sensitive indeed!

    Data gathered via collection behavior

    Data gathered via collection behavior rather than physiological data falls under another type of biometrics. Since “behavior” is typically not exclusive to one individual. And may attribute to many different people. For example, particular gaits, lip motions, and typing/keystroke motions—the logistics of gathering behavior data are more constrained.

    It is important to take necessary precautions to ensure that such processing is justified.

    Subsequently, any organisation actively processing biometric data will need to keep abreast of developments.

    This is pertinent for organizations who are continually developing new technologies alongside the use of biometric data.  Also where biometric data collects and uses on a large scale and/or in public settings. Such as the retail or fitness sector where facial recognition is becoming more commonly used. In such circumstances, data controllers require data processing risks involved and able to implement measures to mitigate risks.

    Showing integrity as a business is important under the GDPR. For this very reason, GDPR Compliance is an essential part of your business for the foreseeable future. Ensure that your policies, processes and procedures are compliant with GDPR. You are utilizing a  GDPR compliant cookie consent banner on your website.

    If you need tailored advice to help you become GDPR compliant. Then Seers can help you with our team of privacy experts.