The day has come, are you ready for the GDPR?

May
25

With the GDPR here and ready to go in effect, its good to analyze five important questions, number three directly involving data portability. 

Ready or not, General Data Protection Regulation (GDPR) is here. EU citizens now have far more control over their personal data thanks to these sweeping limits on their data’s storage, sharing and use. But this is not something for the EU. It applies to anyone offering goods or services to consumers or businesses in the EU— essentially every major corporation in the world.

And compliance does not end at the boundaries of your enterprise. Even after your customer data moves to third parties, from public cloud providers to email service providers, you still bear ultimate responsibility for its safekeeping.

With regulations of this magnitude, businesses generally fall into into three categories:

  • Those taking rigorous action to comply fully and on time
  • Those sticking their heads in the sand
  • Those who tell themselves they’ve checked all the boxes, without looking under the hood

If you are a data “controller”—the company that owns the data and is ultimately responsible for GDPR compliance—you probably have one or more “processors” to whom you delegate data and/or processing responsibilities. These processors have probably shared lots of documentation demonstrating their GDPR compliance capabilities. However, it’s important to ensure this documentation matches what’s actually under the processor’s hood — from complete audit trails to data erasure, no matter where your data might end up in their infrastructure. To help you do so, here are five tough questions every data controller should ask their data processors.

1. Has the processor provided a detailed map showing how personal data is handled everywhere in the processor’s extended infrastructure?

If the processor’s map looks just like everyone else’s, that is not a good sign. The map should be extensive, highly specific and include things beyond the obvious. For example, it should show how the processor governs test data used in building reports on your behalf, or exactly how your data is isolated from that of their other customers.

2. Can the processor demonstrate that your data remains safe even when it passes into the hands of your processor’s own sub-processors—i.e. public cloud providers your processor relies on?

Inevitably, your processors will have their own third-party processors. It is not enough for your processor to say, “Don’t worry, our public cloud warehouse is GDPR-compliant.” Out-of-the-box GDPR compliance tools are a good place to begin, but in no way guarantee compliance for your data. Ensure the processor is taking all steps required to secure your unique data and use case.

3. Can the processor demonstrate compliance with GDPR’s data portability and fine-grained data erasure requirements?

Data erasure — the right for customers to be forgotten — and data portability are probably the two most stringent and technically challenging aspects of GDPR. Compliance is not just about moving or erasing rows of data in a single database. Data inevitably moves throughout the processor’s infrastructure, and that means capabilities to support erasure and portability must also extend to every touch-point. Have the processor walk you through the ways they address the challenge for each and every one of those touch-points.

4. Can the processor provide comprehensive audit trails that include every transaction involving personal data, wherever it ends up in their extended infrastructure?

It is not enough for the processor to handle personal data properly. They must be able to prove they have with comprehensive audit trails. This means reliably demonstrating exactly who is accessing what data—and when and how they access it. Ask processors to show that they can log every transaction—and make sure audit data is stored in a tier that is even more secure than the rest of the processor’s infrastructure, so it is not accidentally deleted.

5. Can the processor demonstrate that its own third-party processors are not accidentally receiving personal data?

Just as the processor must track and audit data wherever it moves through its own infrastructure as well as their own third-party processors, they must be able to show that your data cannot accidentally flow to those sub-processors. Proving that you did not do something wrong is just as, or even harder, to demonstrate than that you did everything right. Ask your processors to show you how they are meeting this requirement.

With the advent of GDPR, a great deal is at stake. Don’t just let processors tick the boxes for you. These five questions are exactly what every company or corporation should be analyzing. When it comes to question three. We are here to help you achieve this. Fill out a contact form on our website and we will be happy to contact you. https://www.idlink.eu/contact

Read the complete article by Nitay Joffe the co-founder and CTO of ActionIQ here.

Sebastian Allerelli
Partner at Safe Online
© 2018 Safe Online