Any company holding data from European Union (EU) citizens knows a BIG date is coming up: May 25.
That’s the day the EU’s new General Data Protection Regulation (GDPR)—the most sweeping change in data privacy regulations in 20 years—goes into effect. The new GDPR replaces the Data Protection Directive, which the EU passed in 1995, to enforce the privacy and protection of all data collected on behalf of or about EU citizens, including by US companies1.
Key Changes in the New GDPR
Here are the main data protection policy changes the new GDPR brings:
1. Increased territorial scope
The Data Protection Directive requirements were not directly applicable to data being processed or handled from somewhere outside the EU. However, the new GDPR makes it very clear that as long as the data pertains in some way to EU citizens, the privacy and protection regulations apply to it whether the data is being handled inside or outside the EU.
2. Increased penalties
The new GDPR significantly increases the potential size of the penalty for non-compliance to up to 4% of annual global turnover or €20 million (whichever is greater). This is the maximum fine for the most serious infringements, such as failing to maintain adequate security measures.
3. Clearer consent guidelines
Where consent is relied upon as the legal basis for the processing of EU citizen data, the language companies use for such consent can no longer be in “legalese” and must be spelled out in very clear terms and via easily accessible forms. Companies must also make it as easy for EU citizens to withdraw consent as to provide it.
Other important changes include:
- Breach notification – The new GDPR makes breach notification, within 72 hours of having become aware of the breach, mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”.
- The right to be forgotten – The new GDPR gives EU citizens the right to have data controllers erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
- Data portability – The new GDPR introduces the concept of “data portability”, or the right for a data subject to receive the personal data concerning them and to transmit that data to another controller.
- Privacy by design – The new GDPR mandates “privacy by design”, which is the consideration and inclusion of data protection from the outset of the designing of products and systems rather than as an addition to it after the products and systems are built.
How DataStax Products Help our Customers Comply
DataStax has been very closely following every development with the new GDPR, and years ago we began building tools and features to help companies who use DataStax Enterprise stay compliant and safe with respect to their own customers’ data.
Specifically, DataStax helps businesses who use DataStax Enterprise comply with the new GDPR through:
- Internal and external authentication: Control over who can access information held within DataStax Enterprise (DSE), including support for Kerberos, LDAP and Active Directory integration, and single sign-on.
- Fine-grained access control: Data access policies to help make it so that users can only access the information that their organization has allowed them to see. This includes support for security down to individual rows of data within tables and for multi-tenancy support within data sets.
- Encryption for data in-flight and at-rest: Wherever data is moving or stored within the application, it can be securely encrypted to prevent unauthorised access. More importantly, there is no need for a change within the application itself.
- Auditing: A full audit trail for all activity within the application, including all update, selection and deletion of user data. This log activity can be saved within a separate secure file system or within DSE itself.
- Simplified data deletion and support of ‘right to be forgotten’ requests: ‘Time to live’ management for each record can make it easier to manage deletion of data for scheduled removal of information, while DSE makes it easier to associate all customer records across multiple locations and legacy data silos as part of a Customer 360 initiative, easing problems when customer requests for data deletion come in.
- Data sovereignty: Support for multi-data center locations and data residency so that each customer’s data can be stored in the right geographic locations for their compliance requirements.
DataStax customers can also take advantage of specialist DataStax consultancy services to assess risk and deliver compliant solutions via our GDPR Compliance Accelerator Package.
DataStax Compliance with the GDPR
In early 2017 we established an integrated DataStax privacy work plan to align our own internal data protection policies with the new GDPR. This has been a coordinated, inter-departmental effort that included DataStax sales, marketing, engineering, IT, human resources, finance, and legal teams.
These efforts also included creating a personal data inventory and GDPR Article 30 report, auditing and updating vendor agreements, assessing and addressing data transfers, developing staff training, and updating applicable processes and policies.
Information about the related DataStax security program is already published and can be found on the DataStax website.
The GDPR is good news in the sense that it makes great strides towards protecting the private information of EU citizens. It also presents certain challenges that enterprises are going to have to stay on top of — as much with technology as with company policies and the interconnections between the two.
As we move past the GDPR’s effective date, we will continue to adapt and evolve our data privacy practices and policies as we develop new products and learn from our interactions with customers, partners, and governments.
EBOOK: How DataStax Helps You Comply With The GDPR
Get the full story on how data management helps with compliance, and how companies use DataStax Enterprise to protect their data. DOWNLOAD NOW
1. – Whilst there are exceptions, the requirements of GDPR generally apply to any processing (including storage) of personal data about data subjects residing in the EU. In this post we refer to “EU citizens” for simplicity because the specific application of the GDPR (and that of its predecessor) can be complex and is not the focus of this post.