Frequently Asked Questions aboutthe General Data Protection Regulation
Understanding the regulations and solving customer jobs
Q1 – What is GDPR?
The General Data Protection Regulation (GDPR) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. The regulation detail is contained in a lengthy document with 99 separate articles. You won’t necessarily need to know about them all but you will hear and read more about the articles that have relevance to our products as you learn about GDPR.
Q2 – Why has the EU created this regulation?
The Commission's primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Currently each of the 28 EU member countries has their own laws; GDPR will replace these, thereby unifying data protection laws throughout the EU. The following extract from the regulations provides a concise description of why the EU thinks GDPR is important.
Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Individuals increasingly make their personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data. Those developments require a strong and more coherent data protection framework in the Union, backed by strong enforcement, given the importance of creating the trust that will allow the digital economy to develop across the internal market. Individuals should have control of their own personal data. Legal and practical certainty for individuals, economic operators and public authorities should be enhanced.
Q3 – What does “Personal Data” actually mean?
This very clearly defined inArticle 4 of the regulation, which is shown verbatim below. Another term you will notice here is “data subject” which you will also start to hear mentioned a lot, this just means the person that the data relates to. However, as you can see by the definition, personal data could be almost anything that relates to an individual residing in the EU.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Q4 – When do organizations need to be ready for GDPR?
The GDPR comes into full force on the 25th May 2018, so all business throughout the EU need to be working on this now. At the time of writing this leaves just 15 months for organizations to become fully prepared.
Q5 – I’ve heard mention of Data Controllers, Data Processors and Data Subjects but what do these terms actually mean?
GDPR applies to ‘controllers’ and ‘processors’. Simply put, the controller says how and why personal data is processed and the processor acts on the controller’s behalf.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach when GDPR comes into effect that you do under current law.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
Data Subject. This is basically an individual which the regulation describes in a more legal form as “an identifiable natural person”
Q6 - Should organizations based outside of the EU be concerned about having to comply with GDPR?
GDPR still applies to any personal data relating to individuals in the EU that is processed outside the EU, and so it will still apply if you are doing business with countries in the EU or are located there
Any company outside of the EU are also directly liable under the GDPR if they are controlling or processing data of EU residents. It’s likely that a subsidiary in the EU would be seen as an asset of the non-EU parent which has assets that could be used to pay a fine. So even if the EU subsidiary has complied, the non-EU company may still be able to commit a breach if it holds personal data of EU residents, and if it doesn’t pay a fine, the Data Protection Authorities can take action to recover the fines from the EU subsidiary.
Q7 - Why should any organization be concerned about GDPR?
There will be fines for organizations that do not comply with GDPR and these are intended to be large enough to avoid companies weighing up the risk of fines against the costs of complying. The EU have made it clear that they intend to use the new powers to make examples.
The fines are up to 2% of annual worldwide turnover in the previous financial year or €10 million, whichever is the greater, for minor breaches; and 4% or €20 million for major breaches. The GDPR articles state what is considered to be minor or major breaches, although the seriousness of the breach will be taken into account when assessing how much the fine should be. Public sector organizations can also be fined, but since they won’t have a turnover, the fines, up to the maximum monetary amounts, would apply. Penalty fines will be issued by the local data protection authority. They can be appealed but are legally enforceable in national courts.
Getting compliant will also mean that organizations will only retain the data that they really need, and will get more business value from it, and will mean that in the long term they will save money that they would have spent on unnecessary storage. So, it’s worth investing in the right tools as in the long run they are likely to pay for themselves
Also, the GDPR is all about respecting people’s rights; complying with GDPR demonstrates to your customers that you value them, and care about respecting their privacy.
Q8 – What are the main analysts or consulting firms saying?
IDC estimates that the game-changing GDPR creates a total market opportunity of $3.5 billion for security and storage software vendors. They also stated that GDPR is a game changer for organizations because of the scale of potential fines (4% of revenue or €20M).
Gartner estimates that by the end of 2018, over 50% of companies will not be in full compliance with GDPR. They also advise organizations to prepare for GDPR accountability and transparency requirements since they believe few organizations have identified all processes where personal data is involved. They highlight the issue of effectively managing the backup process to avoid over retention of personal data and recommend the adoption of file analysis and archive products to help identify storage locations and respond to data subject requests.
PWC research at the end of 2016 established that 54% of the CxOs they spoke too said the GDPR is their highest priority item for data-privacy & security and 38% said that GDPR is one of their top priorities. Data discovery is one of the most important tasks for 71% of organizations have started to plan for GDPR. Most organizations also plan to spend more than $1M on GDPR preparation (77% of respondents).
Q9 – How can organizations prepare themselves for GDPR?
To be able to get ready for GDPR, customers will need to have a good understanding of their data. They will need to build an inventory or data map for each business process so that they can understand the following.
What personal data they have,
Where it is stored,
Why they have it (Eg. For what purposes)
How long they need to retain it for
Who has access to it
If customers can’t answer any of the above then they probably can’t comply with GDPR. Our tools can help them locate the personal data in their dark data so that they can ensure it’s managed in accordance with GDPR.
A key principle of GDPR is that personal data should not be kept for longer than is necessary,Our tools will be able to help find personal data that is no longer needed, so that it can either be deleted, moved or put into an archive with an appropriate retention.
It’s also important to understand that individuals (Data Subjects) will have a number of rights and will be able to ask organizations what data they hold about them and request to either see it, update it or delete it. They can also request to have the processing of that personal data restricted, and ask to have it disclosed in a format that will allow them to port the data to another service provider. So organizations will need to be prepared for this and have an effective process to deal with these requests.
We can provide the tools, such as theeDiscovery Platform that can help legal teams to find the personal data, review it and redact or mark it for deletion efficiently and within the time limits.
Another important requirement of GDPR is being able to react quickly to data breach situations, although of course customers want to minimize the likelihood that one can happen in the first place. Understanding where personal data is stored and keeping it secure will help reduce the possibility of a breach but also make it easier to understand the scope of a breach if it does occur.
Finally, any personal data that customers keep must be kept available and protected from loss, damage and destruction, so our advanced tools for back up, business continuity and resiliency are an absolute requirement. They will also need to be sure personal data is kept secured with appropriate levels of access, using Data Insight will help them with this.
Q10 – How can Veritas help customers with GDPR?
The good news is that we have many products that will help customers with GDPR because ultimately the regulation is about managing and protecting data, which we have been doing for years. The high level jobs that customers will need to solve as part of GDPR are summarised below. A more thorough product matrix is being worked on that will map the jobs to different products that will help show the overall GDPR solution that Veritas can offer.
High Level Jobs and Product Mapping
Locate- Uncover personal data and make it visible
Search - Make personal data highly searchable
Minimize - Manage personal data in compliant storage
Protect - Protect personal data from breach, loss or damage
Monitor - Ensure personal data is always protected
Q11 – Why should organizations be worried about a databreach?
All organizations are probably already worried about a data breach happening to them, there are regular stories in the news of this happening. This goes to the heart of what GDPR is about and it’s quite likely that a data breach will be amongst the first type of prosecutions to be made when GDPR is in force.
Given the fines that could be imposed, making sure a breach doesn’t happen will be a high priority for most organizations. They’ll be concerned not just with the fines that could be imposed but also the reputational damage that could result. This will mean making sure appropriate controls are in place to restrict access to personal data and that access is effectively audited and monitored. Also, the use of encryption is encouraged to mitigate the risk of a data breach. However, if a breach does occur, it’s equally important that it is handled efficiently and within the time scales laid down. These range from as soon as possible but no longer than 72 hours after a breach has been detected.
Q12 – How will organizations prove that they’re complying with GDPR?
Organizations will be responsible for the compliance of GDPR and some such as public sector or companies that process large amounts of personal data are expected to appoint a Data Protection Officer to ensure they follow the regulation as needed. Compliance is only likely to be tested when they have an infringement or breach which involves the local supervisory authority.
Being able to demonstrate that an organization has followed the best GDPR practice will be key to showing they take data privacy seriously. This will mean being able to quickly refer to data inventories, processing activities, data retention policies, security policies and proof that there’s appropriate controls in place to monitor all of this.
There are specific areas of the regulations that deal with Privacy by Design and the need to perform Data Protection Impact Assessments as new services are developed to ensure that data privacy is part of any core design.
In summary, organizations will be expected to work hard to ensure GDPR is followed to ensure risk management and data protection is taken seriously as part of their day to day business. If there is no evidence of this when something does happen, it’s likely that this would have an impact on the scale of fines that the supervisory authority would impose.
Q13 – Is there a certification standard to demonstrate compliance?
As with most regulations, GDPR is all about the process an organization uses to ensure compliance. Obviously technology will be used to help them comply but it’s the overall business processes that will need to be certified. This will be possible with GDPR, each member state (country) will have a voluntary certification mechanism in place as described in Article 42 of the regulation but specific details of certification schemes are not yet available.This will certainly become an important differentiator for some organizations; being able to show that they take privacy seriously will be a competitive advantage for some.
Q14– What is Veritas doing to make sure our products can help customers solve their GDPR problems
Complying with GDPR isn’t just about technology, it’s about ensuring each business process has appropriate controls in place to manage personal data in accordance with the regulations. Technology will be used to help with this and our existing products are well placed to help customers with this today.
The Product Management team are looking across all our products to ensure we have effective GDPR solutions that can leverage all our technology stacks. They are focused on making sure we understand the customer problems and that these are converted into user stories for PM & Engineering to solve, so that any product gaps can be quickly closed.
A virtual cross PM team has been assembled to bring focus on GDPR if you have concerns, comments or ideas then please contact them.
Q15 – What about our competition – what are they doing for GDPR?
Given that IDC have said GDPR represents a $3.5B opportunity for software vendors, all our competition will also be focusing on this. Competitor documents are available on the GDPR SAVO page herethat go into more detail about the strengths & weaknesses of our key competitors.
Key Articles Relating to GDPR
The GDPR regulation contains 99 articles but the following are the key ones of interest in terms of the areas that Veritas products can help with. For exact context, the full regulation should be referenced and a link to this is provided at the end of this section.
Article 4: This article has all the definitions used in the regulation, it's a useful reference but this key one shown is important to understand.•Article 4: Defines "personal data" as
•Information relating to an identified or identifiable natural person ‚data subject; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person
Article 5: This article is a key foundation of GDPR so is shown in its original form
•Article 5 (1) - Principles relating to processing personal data:
•Processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)
•Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing of personal data for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes shall, in accordance with Article 83(1), not be considered incompatible with the initial purposes; (“purpose limitation”);
•Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”)
•Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
•Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 83(1) subject to implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”);
•processed in a way that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”);
•Article 5 (2) - Principles relating to processing personal data:
•The controller shall be responsible for and be able to demonstrate compliance with paragraph 1 (“accountability”)
Data Subjects Rights
These are the key articles that defines an individual's right to control their personal data
•Article 15: Individuals’ right to access their data
•Article 16: Individual’s right to have their data rectified
•Article 17: Right to be forgotten / Right to erasure
•Article 18: Right to restrict processing
•Article 20: Right to data portability
General Obligations
This is the key article that stipulates personal data should be protected using state of the art as well as technical and organisational measures. This also references Article 42 which is about being able to demonstrate compliance through a certification process
•Article 25: Data protection by default and by design
Security of Personal Data
This relates to the need to use "state of the art" methods to protect & secure personal data and also the breach notification process to the supervisory authority and also the data subjects when appropriate.
•Article 32: Security of Processing
•Article 33: Notification of a personal data breach to the supervisory authority
•Article 34: Communication of a personal data breach to the data subject
Codes of Conduct and Certification
This explains that the supervisory authority can establish a voluntary certification mechanism help organisations gain recognition for being able to demonstrate they comply with GDPR. Certification bodies will be appointed by the supervisory authority.
•Article 42: Certification
Transfer of Personal Data to Third Countries or International Organisations
These all relate to the transfer of personal data to countries outside of the EU, it references the principles safeguards required with a lot of detail about Binding Corporate Rules (BCRs) and exceptions. These rules are intended to ensure that the protection offered to EU residents by GDPR is not undermined.
•Article 44-50: International data transfers under “appropriate safeguards”
The approved EU source of the complete GDPR Regulation is as follows.