As technology evolves, data has become increasingly central for business operations. Due to the Internet of Things (IoT), businesses are collecting, processing and exploiting data. Data is being collected by one company and is used by others. There is a need for appropriate assurances about the data collection and processing.
The European Government put into effect the GDPR (General Data Protection Regulation) on May 25, 2018, to protect the personal information of EU citizens. GDPR compliance & certification is a personal data regulation and applies to the processing of data related to:
- Organisations operating within the EU, even if the data processing takes place outside of the EU.
- Businesses offering goods and services to individuals in the EU or monitoring their behaviour.
GDPR principles
The GDPR Act has seven principles which have to be followed if you process data:
1. Fair, lawful and transparent processing
Personal data must be processed fairly, lawfully, and in a transparent way in relation to the data subjects. Fairness means that any processing of data must be fair towards the individual whose data is concerned. Lawfulness means that the processing of data must have a legal basis under the GDPR. or otherwise be compliant with the requirements of the GDPR. Transparency means that the data should be clear and transparent to individuals and regulators. The personal data should be in a format which is clear, concise and easily accessible.
2. Purpose limitation principle
Personal data must be collected for legitimate, specified, and explicit purposes which are determined at the time of collecting the personal data. Data should not be further processed in a way that is not compatible with those purposes. However, further processing of the data can be done for historical research purposes, archiving purposes in the public interest, or statistical or scientific purposes.
3. Data minimisation
Data controllers must collect and process personal data that is relevant, adequate, and limited to what is required for the purposes for which it is processed. Data controllers should collect the minimum amount of data they require for intended processing. They should not collect unnecessary personal data.
4. Accuracy
The data controller should ensure that the personal data is accurate and, where necessary, kept up-to-date. Data controllers should take the right steps to ensure that inaccurate personal data is rectified without delay or erased, and have regard to the purpose for which it is processed. This requirement means that all the personal data collected, stored or processed must be accurate and recent.
5. Data retention periods
Data controllers must hold the personal data in a form which permits the identification of the individuals, and no longer than is required for the purposes for which they are processed. Data can be held for longer periods if it is processed solely for historical research purposes, archiving purposes in the public interest, statistical or scientific purposes in accordance with the GDPR. It can be stored as long as there are technical and organisational measures to safeguard the rights and freedoms of individuals.
6. Data security
The data controllers should process the personal data in a way that ensures an appropriate level of security and confidentiality. Data must be protected against unauthorised or unlawful processing, accidental loss, damage or destruction. The controllers must protect the personal data and use security measures that cover cybersecurity and physical and organisational security measures.
7. Accountability
This means that the data controllers are responsible for and must be able to demonstrate compliance with the principles of data protection. They should have appropriate procedures and records in place to demonstrate compliance. Compliance with the principles of data protection will itself assist in accountability.
Key steps in GDPR compliance
- Determine how GDPR compliance can impact your organisation and its business. Select a single solution to manage data across all environments.
- Identify the sources of personal data and where it is stored. Set automation policies for data storage, retention, access and archival.
- Assess the common risks of your current system and processes. Organisations should implement measures that ensure an appropriate level of data security.
- Manage your data across all locations, whether on-premises or on Cloud. Choose a solution that can manage your physical and virtual data across your entire infrastructure.
- GDPR requires that you include data protection when you design and develop your products. A good solution should provide end-to-end encryption and encrypt the data sent to the Cloud.
- GDPR covers security breaches that can be caused by employees. Access to data should be limited to only those who need it.
- Monitor and report your data compliance.