Best Practice: Meet GDPR Data Compliance with eperi

The GDPR will come into effect in May 2018. Are you ready?

What is GDPR?

After years of work by the EU, on 25 May 2018, the General Data Protection Regulation (GDPR) will come into force with the focal aim to protect the private and sensitive data of EU citizens.

GDPR will supersede the 1995 EU Data Protection Directive, by introducing tougher fines for non-compliance and breaches as well as giving people more control over what organizations can do with their data.

With the introduction of GDPR, there will now be one standardized rule throughout the EU which will apply to all organizations — even outside the EU — who process and store personal data from EU citizens.

Who does GDPR apply to?

Organizations that control or process personal data – also called Personally Identifiable Information (PII) – will all need to abide by the law set by GDPR.

Under the regulation, those that create and collect PII are referred to as “data controllers”. As such, data controllers (your company) must take all the steps to protect personal data and ensure they follow the industry’s best practices, even when the actual processing of the data is handled by a data processor – such as cloud services or Software as a Service (SaaS) providers.

Disclaimer: This website is not a legal advice for your company to use in complying with GDPR. Instead, it provides background information to help you better understand how eperi can help your organization to address some important GDPR requirements.

So how can eperi Cloud Data Protection solutions help my organization address GDPR data compliance needs?

Addressing Legal and Regulatory Data Compliance requirements is now a critical part of your organization’s cloud adoption planning and execution.

For your organization to confidently meet GDPR requirements where personal data needs to be protected in use, at rest and in motion, you need to be in full control of the data. That means proving you have taken reasonable steps to protect personal data – even when your organization is using Cloud services like Office 365 or Salesforce to store and process the data.

If your company as a data controller puts a customer’s sensitive information in the Cloud, you cannot dodge responsibility for protecting it.

The GDPR specifically cites encryption as the leading tool to use, primarily pseudonymization, or the processing of personal data in such a way that it cannot be linked back to a data subject without additional information.

Say, for instance, that your Cloud service provider is breached, putting all of its customers’ data at risk. If your organization can prove that your data is safe because it is encrypted and you only control the encryption keys and not the breached party, then there may be no need to notify your own customers or incur fines. However, if the breached Cloud service provider has also access to the encryption keys to its customer’s data, then there is reasonable doubt that hackers could have accessed the data.

Well, this is where eperi Cloud Data Protection comes in: eperi leverages the principles of GDPR specifications for ‘Centralization’ and ‘Privacy by Design’ to implement a transparent data control layer allowing your organization to enforce data protection compliance via a single point of architectural control prior to sensitive data being stored or processed in Cloud services such as Office 365, Salesforce, ServiceNow, etc.

Addressing GDPR data protection when working with data processors

If an enterprise’s DPIA and PIA has identified that it is sharing PII and sensitive PII data with a third-party data processor, it now has to mitigate the risks and exposures when transmitting, processing or storing this critical information. Watch our YouTube video tutorial to understand key GDPR guidelines and principles when transmitting, processing or storing PII and sensitive PII data to third-party data processors.

01 – Data Protection Impact Assessment (DPIA)

Do I need to complete a Data Protection Impact Assessment (DPIA) when transferring and processing PII and sensitive PII data to a third-party data processor?

02 – Privacy by Design and Default

Addressing data protection as a fundamental requirement to meeting GDPR Compliance, especially when using a data processor service. Learn about the concepts of Privacy by Default and by Design.

03 – GDPR Principle: Centralization

Understanding the Centralization principle and using a central point of architectural control to stay in control of your data.

04 – Key Principles of Data Pseudonymization

Understanding how pseudonymization of critical data works and why it is important.

05 – Key Principles of Data Anonymization

Understanding how anonymization of critical data works and why it is important.

06 – Data Breach Notifications

Understanding your organization’s notification duties in case of a security breach.

07 – Data Processor Compliance

Understanding how eperi Cloud Data Protection addresses GDPR data compliance in a data processor environment.

How can my organization benefit from eperi Cloud Data Protection?

  • Get the compliance „tick in the box“.
  • Maintain sole control of sensitive data.
  • Only your organization has access to sensitive data.
  • Your organization controls the data protection.
  • Reduce the risk of data loss.
  • Meaningless data if compromised outside your organization.
  • Data protection processes in place do not impact the user experience of your Cloud app users.
  • Leverage full advantage of your Cloud application with no compromise to data protection controls.