What is GDPR, and what’s it’s purpose?

GDPR stands for “General Data Protection Regulations” and is a regulation passed by the European Union (EU) that protects the personal data of EU citizens (also known as data subjects).

GDPR

GDPR defines personal data as any information relating to a data subject which is defined as, “an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” – In other words, a data subject is any EU citizen who has data about them collected by an organisation.

What should be protected?

GDPR requires both the protection of personal data and evidence of the protection measures a business has in place for any location (physical or digital) where personal data is collected, processed, stored, or transmitted. Under GDPR, organisations must be able to identify when personal data becomes exposed or compromised. The regulation applies to organisations regardless of whether they’re located in the EU or not.

Article 3 on Territorial Scope, GDPR applies to:

  • Any organisation in the EU, even if the processing occurs outside the EU.
  • An organisation processing EU citizen data in the context of selling goods or services or monitoring data subject behaviour in the EU. This applies even if the organisation is located outside of the EU.
  • Data controllers (defined as the entities that determine the purposes, conditions, and means of the processing of personal data) that are located outside of the EU, but where the EU law applies due to international law.

Additionally, GDPR keeps the rules around data transfers that were put in place for previous laws. Data transfers can typically occur only with nations that have adequate security protections. However, GDPR does also allow for codes of conduct and certifications that, when approved, allow for exceptions – This means that other legislation may have to be considered when creating your policy (such as Mifid II etc.)

So how can UCentric help SME’s comply?

The GDPR tool within UCentric allows you to perform a sweep of your file systems and databases to highlight potentially sensitive personal information.

GDPR states that you should have technological measures in place to: Classify data, Prevent data loss, Encrypt data, Manage Explicit Consent, Limit Data Transfer and allow individuals to exercise their rights to “Access”, “Rectify” and “Erase data.

  • Classification
    • UCentric identifies the files and database entries where data is held even if you are unaware of it!
  • Encryption
    • It will sweep all relational database engines (Microsoft SQL, MySQL/InnoDB, ODBC etc.) and detail which database are unencrypted and where lax security or unnecessary elevation of access rights is in place.
  • Explicit Consent
    • Without knowing what data you have, how can you control consent?!
  • Data Transfer
    • The tool highlights all personal data, so you can be sure of what data you are transferring.
  • Access, Rectify and Erase
    • Built in reporting and redaction makes this a much simplified process, and performs it across multiple files or databases simultaneously.

In addition to the automated discovery, UCentric GDPR provides a Quality Assurance template that you can embed within an existing ISO9001/27001 framework, or use as a standalone compliance document.