Software Solutions: Your Fast Track to GDPR Compliance
June 1, 2018 No CommentsFeatured article by Sébastien Boire-Lavigne, CTO and appointed Data Protection Officer, XMedius Solutions
The General Data Protection Regulation (GDPR) has arrived and many companies in the EU and U.S. are racing to get their security and privacy processes in place, even after the May 25th deadline. If your organization isn’t 100 percent compliant yet, you’re not alone. A survey conducted by the Ponemon Institute in April revealed that out of the 1,000 EU and U.S. companies in a variety of sectors who were surveyed, only 42 percent expected to be in compliance with GDPR by the deadline.
Most companies understand that compliance with GDPR is critical, but that doesn’t make the road to compliance less daunting for some. It is, after all, one of the biggest regulations affecting personal data that most of us have seen in our lifetime, so becoming compliant doesn’t happen overnight. But if achieving GDPR compliance isn’t already at the top of your agenda, keep in mind that as of May 25th, you will be subject to heavy fines if you’re found to be non-compliant. Just as GDPR is a major regulation, so are its penalties: your business could be fined €20 million or 4 percent of its annual revenue, whichever is greater.
Luckily, the fact that we’re in a digital age means that software solutions can help companies take big steps in their compliance efforts. It’s important to note that software solutions themselves cannot make an organization GDPR compliant. The GDPR is multifaceted, and much of the work on the road to compliance involves rethinking your organization’s privacy policy, becoming highly transparent about the collection and storage of EU citizens’ personal data, developing clear-cut means of obtaining user consent, and much more. Be wary of solutions claiming to make your organization GDPR compliant with the turn of a key.
Where software solutions do play an integral role, however, is in the transmission, management and storage of said data, thus enabling regulatory compliance and as a bonus, saving your business both cost and manpower along the way.
Although there are no specific software solutions that are mandatory under GDPR, it’s important to be on the lookout for key features if you want to make a few quick wins in your compliance strategy.
Limiting Access
The aim of GDPR isn’t to make business more difficult, but to protect personal data and make sure it cannot be used beyond what the data subject has explicitly consented. That being said, GDPR grants data subjects the right to restrict the processing of their data, and also to have it deleted at any time.
The three pillars of information security when it comes to data privacy are integrity, availability and confidentiality. Integrity involves ensuring that data is not changed in an unauthorized way once it’s stored, while availability includes the requirement that data be easily available to data subjects and authorized employees whenever it is needed.
Confidentiality means setting limits on who may have access to personally identifiable information, based on their need to know. You can use software solutions to achieve this, allowing access to private data only to authorized personnel, based on their role.
Encryption
A broadly used process that scrambles data in a way that makes it indecipherable for anyone who doesn’t have a decryption key, encryption is mentioned four times throughout the GDPR text:
“…implement measures to mitigate those risks, such as encryption.” (P51. (83))
“…appropriate safeguards, which may include encryption” (P121 (4.e))
“…including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data.” (P160 (1a))
“…unintelligible to any person who is not authorised to access it, such as encryption” (P163 (3a))
If you choose to implement software solutions that use encryption to protect personal data, there are a few ways you can do so, such as using secure client portals when exchanging data with clients. Another option is to password protect and encrypt client files before transmitting data via email or sharing them via cloud-based data storage and sharing websites. There’s also the option of implementing an encrypted email server, which can be expensive, disruptive to business activity and still isn’t 100 percent reliable from a security standpoint.
Secure file transfer solutions like XMediusSENDSECURE encrypt data while it’s both in transit and at rest. A simple code is sent to recipients to verify that files fall into the right hands, eliminating much of the risk associated with common data breaches. Users won’t have to first encrypt the data themselves before initiating a transmission, so it removes a step and requires minimal training. It’s a highly secure and easy-to-use software that does the work for you.
Records of Processing Activities
Article 30 of the GDPR, titled “Records of Processing Activities” describes how data processors and controllers need to be able to prove how and when data was processed. This usually happens in the form of some type of software application or security log that maintains an audit trail of the actions taken in regards to data from the time it’s obtained to when it’s erased. By glancing at the various sections of the GDPR, you’ll quickly see the major impact audit logging can have on things like “breach notification and communication” (Articles 33 and 34), “effectiveness of security controls” (Article 32), and “erasure” (Article 17).
By maintaining audit logs of activities revolved around processing data, organizations will not only gain valuable insight into their security controls and data processing activities, but they’ll be able to swiftly identify and report on a breach, if one ever occurs. The audit trail function built into XMedius solutions, for example, keeps detailed information of all inbound and outbound file transmissions, capturing info on personal data in a very crucial part of its lifespan within your organization: as it is sent and received.
For more information on XMedius and its solutions, visit www.xmedius.com.
Building a Roadmap Towards GDPR Compliance Webinar
Maintaining GDPR Compliance Levels Webinar
Sébastien Boire-Lavigne
For nearly 20 years, Sébastien Boire-Lavigne has been a driving force at XMedius, a global leader in the field of enterprise communications, and has been instrumental in developing XMedius’ technology strategy. Among his many accomplishments, Sébastien led the development of the ground-breaking XMedius Fax-over-IP technology, cloud platforms and XMediusSENDSECURE.
His versatility, wide-ranging technical skills and keen business acumen allow him to seamlessly bridge the technical – business divide. In addition to leading Product Development, he is also responsible for Customer Services, IT and Information Security.