It is self-described as the “most important change in data privacy regulation in 20 years”. Looming on the horizon, this new set of privacy regulations is most certainly going to change the way organizations do business and think about customer data and privacy. The new set of regulations is called the General Data Protection Regulation or GDPR.
The regulation was approved by the European Union parliament in April 2016 and set to go into enforcement on May 25, 2018. The new set of regulations under the GDPR umbrella empowers all EU citizens with the right to data privacy and individual ownership of their data and any privacy aspects that entails.
This is a far-reaching set of regulations in that it affects any organization that is processing personal data of data subjects residing in the European Union, regardless of whether or not the company is located inside the boundaries of a European Union country. The expressed penalties for organizations violating GDPR regulations are very steep.
What aspects of data privacy are contained in the GDPR regulations? How does this affect organizations and how they handle, retain, backup, and otherwise use data involving EU citizens? What are the consequences for violating the GDPR regulations?
Table of Contents
Steps for GDPR Compliance. GDPR Data Subjects Individual Rights
The new GDPR regulations certainly empowers EU citizens to own their data and be proactive about their privacy. It also stipulates that organizations (data controller) must act in the best interests of the data privacy of their customers (data subjects). There are several key rights that are defined inside the scope of the General Data Protection Regulation data privacy regulations that define what this looks like for both data subjects and the organizations responsible for their data. Below are the cornerstone rights that are defined in the new regulations:
- Breach Notification
- Right to Access
- Right to be Forgotten
- Data Portability
- Privacy by Design
- Data Protection Officers
Each of these key areas hold benefits and rights that the EU citizens are allowed to exercise under the new GDPR regulations. Let’s look at these in a bit more detail.
Often, we hear about a breach in sensitive data being learned months before the news concerning the scope is announced. Individuals privacy and data may have been at risk for quite some time before ever hearing of the breach and its implications. With the Breach Notification expressed right, any breach that is set to “result in a risk for the rights and freedoms of individuals” must be disclosed within 72 hours of becoming aware of the breach. Notification to data subjects (customers) must be also made without delay.
Right to Access
One of the powerful new aspects of the GDPR regulation for data subjects is the Right to Access. The right to access enables data subjects the ability to query a data controller at any time as to confirmation of whether or not their personal data is being processed, how it is being processed, and where it is being processed.
Additionally, data controllers are required to provide a copy of any and all data being processed in electronic format. The aim of this directive is to increase transparency for customers as to how their data is being used as well as empower individuals to query a data controller at any time regarding these matters.
Right to be Forgotten
The Right to be Forgotten encompasses the right of the data subject to have the data controller erase any and all data that contains any information related to them. It also outlines that any further disseminating of their data halt immediately and any third-party entities that are involved with processing their data, will stop data processing of that data immediately as well.
The definition of what qualifies a data erasure event in Article 17 of GDPR is either data that is no longer relevant to the original purposes for processing, or a data subject withdrawing their consent to utilize their data.
This regulation can potentially be one of the most difficult to thoroughly and properly carry out for unprepared organizations as it implies that any data, even data that exists in backups and other more obscure data sets be erased properly when requested by individuals. However, there are some differing views on how this aspect of GDPR regulation will be interpreted and to what degree this data erasure must be carried out.
The Data Portability right aspects of GDPR seems to be a restatement of some of the rights assumed under the Right to Access, however, it refers to the right for the data subject to receive their personal data and then make a decision to transmit that data to another data controller. In other words, their data is their data. They have the right to transmit it to another data controller if they want.
Privacy by Design
This aspect of GDPR is where things get more into the concept of data security and privacy by design, obligating organizations to thinking about this aspect of data subject’s data from the outset when designing their systems. Security in past years has been an afterthought when it comes to architecting systems. This is readily evident by the tremendous data breaches recently.
In addition to this part of the GDPR standard, organizations are required to be minimalists when it comes to data subject data. They hold and process only the data that is absolutely required for the completion of its duties and limit access to that minimal amount of data to only those who need access to the data according to Article 23 of GDPR. This helps to limit the amount of personal data as well as the exposure to that personal data.
Data Protection Officers
The Data Protection Officers clause of the GDPR outlines the requirements for appointing a dedicated Data Protection Officer(s). DPO appointments are only necessary for those data controllers whose sole purpose involves systematically monitoring data subjects on a large scale or of special categories of data or data relating to criminal convictions or offenses. Additionally, further requirements of appointing a DPO are expressed in this section of GDPR.
Consequences for GDPR Violations
The consequences for being in violation of GDPR regulations are not trivial. With more trivial violations, such as not having records in order, not notifying a supervising authority and data subject about a breach, or not conducting an impact assessment, a company can be fined 2% of annual global turnover.
With the most severe penalty, organizations in breach of GDPR regulations can be fined up to 4% of their annual global turnover or 20 million euros, whichever is greater. The maximum penalty can be levied when organizations are in gross violation on such items as not having customer consent to process data or violating core Privacy by Design concepts which amounts to negligence.
Hybrid Cloud Complexities
Arguably, this is a major shift in the way organizations dealing with EU citizen data must think about how they are handling that data and how it is being processed. Keeping track of data wherever it may live can be challenging to say the least. However, add to that complexity, the fact that organizations today are utilizing public cloud environments more than ever before. Organizations must keep track of where data lives both on-premise and in the cloud.
Additionally, having data loss protection and data leak protection in place both on-premise and in the cloud is a requirement moving forward. Add to data loss protection and data leak protection capabilities, organizations must have very stringent cybersecurity controls, alerting, and various protective mechanisms in place to protect sensitive data, in line with GDPR standards. This “Privacy by Design” concept must be intertwined with new infrastructure, especially in public cloud environments which are often the most challenging environments to maintain this level of policy and control over.
Ensure GDPR Compliance with Spinbackup
Public cloud environments may be some of the most challenging for organizations when aligning to the regulations set forward under GDPR regulations. There are several key concepts that come to the fore when weighing GDPR compliance regulations that organizations must give their utmost attention:
Spinbackup is a powerful data loss and data leak prevention solution that features best in class cybersecurity as well. It allows organizations to align their Google G Suite environments to meet with GDPR regulations in the key areas mentioned above. By using powerful machine learning algorithms, Spinbackup is able to sift through the massive amount of data that often exists in the public cloud, ensuring the safety and security of the data, as well as aligning organization objectives with GDPR requirements.
The Data Loss Prevention tools found in Spinbackup’s G Suite protection allows organizations to have a powerful versioned approach to automated daily backups. This ensures access to data subject data at all times to meet any needs of information requests or data portability as requested by data subjects. Additionally, backups are an important part of any security regimen enacted to protect data. Spinbackup’s automated daily backups allow information to be restored even if it is deleted accidentally or corrupted by ransomware.
Data Leak Protection is an extremely important part of aligning with the data security measures enacted with GDPR. As stated above in the principle foundations of GDPR, data privacy must be enacted by design. By utilizing Spinbackup in the G Suite public cloud, organizations are able to enact this privacy by design principle. Spinbackup enables privacy by design with the following mechanisms:
High Risk Third-party Apps Control
Crucial to ensuring the privacy and security of data subject data, making sure any third-party applications integrated into the G Suite environment do not have access to data they do not need is extremely important. The High Risk Third-Party Apps Control that Spinbackup provides allows doing just that. Access to risky third-party apps and the data they have access to can easily be revoked.
Sensitive Data Control
By its very design, Spinbackup sensitive data control allows control data that is deemed sensitive, such as credit card numbers. Additionally, custom rules can be applied to define the nature of the sensitive data. Spinbackup ensures that sensitive data is not leaked outside the G Suite environment, thus providing the means for organizations to align with GDPR.
Abnormal Data Download
The abnormal data download module allows gaining visibility into an unauthorized data download event where an individual is downloading G Suite data to a personal cloud or personal storage device.
Spinbackup also provides extremely robust cybersecurity features that make sure GDPR data privacy and security objectives are met. Spinbackup cybersecurity features the following:
Cloud Apps Audit
Gives visibility to the G Suite data that is shared with any third-party apps and an overall view of data privacy related to third-party integrations.
Gives visibility to the G Suite data that is shared with individuals outside of the G Suite organizations. How is data privacy affected by data sharing? This gives visibility to that objective.
This is a “single pane of glass” view of all security related events that happen across the G Suite domain, along with powerful alerting.
Spinbackup allows creating granular G Suite security policies to define how various policies are implemented across the G Suite organization.
The ransomware protection module can fit into any of the described mechanisms, however, it is a powerful cybersecurity tool as well. Ransomware is a plague among organizations today and the valuable data they hold. Spinbackup’s ransomware protection module proactively monitors files across the G Suite organization and when ransomware activity is detected, it proactively restores the latest good copy of the file automatically!
Insider Threat Detection
Insider threat detection enables gaining visibility to user activities that may otherwise go unnoticed. This may be failed login attempts, or odd login locations, abnormal data download patterns. Insider threats can be the most challenging to detect but are sometimes the most crucial.
Managing data security and privacy in the G Suite public cloud without a robust and fully-featured tool like Spinbackup will be a GDPR nightmare for organizations attempting to do this on their own!
At the heart of the General Data Protection Regulation or GDPR is the security and privacy of customer data. At the end of the day, all of us want to have better security and privacy enacted on our personal data.
However, with the tremendous benefits that the new regulations may have for our personal data privacy, it certainly creates tremendous complexities for organizations who must align with the new regulations. Creating a G Suite public cloud environment that aligns with GDPR regulations without automated machine learning enabled mechanisms is sure to fail.
Are you choosing the best G Suite Backup Solution?