On May 25th, the new EU rules regarding personal information takes affect. General Data Protection Regulation, or GDPR is a set of rules and regulations which standardizes the somewhat confusing national rules which all EU countries have regarding storing, managing and securing personal data.
GDPR is meant to transfer ownership of information back to the user, but it’s also in many ways a simplification of the flux of rules which has been created since the inception of the public internet, and the rise of social media.
As an IT admin today, perhaps the most important thing is to know where your data is stored. It’s easy to start consuming a new cloud service without concerning yourself with where the data is stored, or how it’s secured. GDPR places a responsibility on the employer to ensure that personal data is stored securely and managed responsibly, regardless of where it’s being stored.
GDPR is an extra-territorial regulation. That means that as a non-EU company with employees in any EU membership countries, GDPR governs how personal information is managed, even if it’s stored outside the EU. The fine for breaking GDPR regulations can be as high as €20.000.000,- or 4% of global revenue, whichever is higher. It’s probably cheaper to stay compliant!
When I set up a new application, or subscribe to a cloud service on behalf of my company, I’ve started going through a checklist which is a follows:
- Where is the data stored?
- Is personal data stored?
- Is it encrypted
- Does personal data have a different permission set than content?
- Who in my company has access to personal data?
- User accounts
- Access control lists
- Who outside my company has access to personal informations?
- Is the application/service owner an EU citizen? (if not, brief on GDPR)
- How is data transferred?
- Endpoint to endpoint encryption
My employer is currently working on ramping up personal data compliance for our European employees. It’s as much an HR job as it is technical. HR depends on IT to stay compliant, and IT depends on HR to create the policies.
Is your organization ready for GDPR?