The General Data Protection Regulation (GDPR) comes into force on the 25th May 2018 and is possibly the biggest legislative change of our time. It will have huge implications for most businesses that deal with personal data. The consequences of non-compliance are massive - severe fines of up to €20m or 4% of turnover. Businesses need to act now to ensure they are GDPR ready before the deadline.
GDPR has four broad themes: 1. Dealing with ‘data subject access requests’; 2. Legal compliance (consent and terms and conditions); 3. Business process risk management; 4. Effectively dealing with breach notification.
Dealing with ‘data subject access requests’ has the most far-reaching implications for businesses because basic questions such as: ‘what Personal Sensitive Data do you hold?’, ‘why are you holding it?’, ‘where is it stored?’, ‘who can see it?’ and ‘how long are you going to keep it for?’ seem like simple questions. However, there are plenty of organisations that struggle to keep track of their servers and build/patch state, let alone the content of those systems. The task of knowing where all Personal Sensitive Data exists, including all copies of it, whether legitimate or otherwise, in itself is considerable. Now add in the obligations, such as the right to correct, delete or port the data, and the true scale starts to emerge.
Conventional approaches include creating yet another dedicated data warehouse or creating a central meta-data repository, which applications notify when they add, modify or delete Personal Sensitive Data. A new data warehouse is expensive, and not fool proof because data can be missed. A central meta-data repository has wide ramifications because, potentially, every application has to be changed to communicate with the central application, every time data is added, modified or deleted.
Ideally organisations would just want to monitor their data traffic without modifying underling applications or systems - to listen for the changes and store that meta-data for retrieval at the source, only when required. If this were possible, then a large amount of cost could be removed from implementing GDPR.
Proteus®GDPReady+™ incorporates a third party user behaviour and monitoring technology used by police forces, NHS trusts and global retail clients, to deliver the new data listening capability. Proteus®GDPReady+™ is an API-less data listening solution that can track when your applications interact with Personal Sensitive Data and can retrieve that data to support data subject access requests. It compliments the previously released Proteus®GDPReady™ which provides the DPO with the tools to manage organisations’ compliance with GDPR, including modelling business processes, defining where sensitive data is located and performing multi-phase Data Privacy Impact Assessments. The ‘+’ option adds the capability to easily retrieve Personal Sensitive Data and so completes the GDPR puzzle. Compared with the conventional approaches it is also seriously cost effective.
