In a countdown that has had multiple stages and has taken several years, the countdown to the General Data Protection Regulation is reaching its finale. There are 50 days to go until the regulation fully comes into place across Europe and all organisations effected must have taken steps to become compliant.
Bringing a larger focus to the protection of personal information and the rights of data subjects, the regulation also brings an added risk of fines for non-compliance; organisations can now face fines of up to £17,000,000 or 4% of global turnover, for the most serious data breaches. In addition, data processors now share liability for the protection of data with data controllers, ensuring that no single organisation can point the finger of blame if a breach does occur.
Even with the impending deadline for compliance, a recent survey has found that not all organisations are prepared for the regulation with confusion over how it will work in practicality in areas such as the ‘Right to be forgotten’. Organisations will need to have implemented processes and policies to assist in compliance but as part of the regulation will also need to be able to demonstrate these processes.
How to get compliant in 50 days
With just 50 days to go, if your organisation hasn’t started its journey to GDPR compliance it’s going to be an uphill struggle to get compliant in time. The first step as with any regulation or piece of legislation is to understand how it will affect your organisation; as the data regulatory authority for the UK, the Information Commissioner’s Office (ICO) has published a large amount of information to help with this including a compliance checklist.
As all data sets are covered by the regulation you need to be aware of how the protection of secondary data sets is affected, this includes backup and archive copies of data. As experts in data protection since 1998, Redstor has been helping organisations comply with data protection laws for many years including the previous Data Protection Act. Access the ‘what does the GDPR mean for backup’ whitepaper here.
The GDPR will form British law in the form of the new Data Protection Bill, which will become the new Data Protection Act (2018) once passed as law on the 25th of May.
Trust the process
A data processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Under the GDPR data processors have added responsibility to ensure data is secure and protected from a data breach. Under previous data protection laws, this liability would fall to the data controller regardless of who or how the breach was caused. Under the updated regulations data controllers must ensure data processors have taken ‘technical and organisational measures’ against a data breach, in other words, controllers must do due diligence on the processors they choose. Included in this is how and where processors store data and whether data is transferred across sites or borders.
Article 32 – Security of Processing
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
By and large, any organisation providing a service will be processing data on some level, whether this is customer data or as part of the service. In addition to ensuring data processors have mitigated the risk associated with any potential breach, the regulation states that processors must only process data in accordance with a contract between the two parties.
Article 32 of the GDPR outlines the security of processing data and while point 1 of the article states that ‘technical and organisational measures’ should be taken; the article breaks this down further to include:
- The pseudonymisation and encryption of personal data
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
Redstor’s unified backup, disaster recovery and archiving platform securely stores data in an encrypted format, ensuring no unauthorised access and that no personal data leaks. Platforms maintain a 99.999% availability and regular integrity checks are taken across both the storage platforms and the underlying Backup Pro software. By its nature Redstor Pro ensures that end users can restore data on-demand and utilising InstantData, availability is instant.
To find out how Redstor can assist you in compliance with the GDPR or how to streamline your data protection processes get in touch now.