Seclored: The Data Security News Blog

GDPR Compliance in the Year 2022

Category: Compliance

As one of the strictest data privacy laws in the world, the General Data Protection Regulation (GDPR) is soon entering its fifth year of implementation. But even after all these years, companies still face compliance issues and increasing non-compliance fines. The situation was generally calm in the first years. Only one major tech company was fined for violating GDPR rules. However, over the last few months, there have been more and more tech giants guilty of non-compliance and forced to cough up record-breaking multimillion-dollar fines.

How Does an Organization Become Non-Compliant?

It is essential to understand that GDPR compliance is not a one-time project. It’s not about using tools or checklists but an ongoing approach to business to develop an efficient data protection and privacy strategy. Many factors play a role, including the growing remote workforce, collaboration with 3rd parties, and pending ePrivacy Regulation.

Let’s look at some of the use cases:

Vaccination Data imageVaccination Data

Nowadays, an urgent issue for companies is dealing with employee vaccination data. Companies must accurately record the information they collect and ensure a secure way to collect and store this data. They owe the governance a modicum of confidentiality and should disclose the vaccination status only for legitimate and necessary reasons. Employers looking to collect such information will also need an appropriate legal basis for processing it.

Visa Applications imageVisa Applications

GDPR requires companies, including those offering visa services, to reasonably and transparently protect personal data, such as:

  • Basic identification details: Name, address, and IDs
  • Health and biometric data
  • Racial and ethnic data
  • Sexual orientation, etc.

Financial Data imageFinancial Data

Every customer needs to provide their financial details to a bank or a financial institution while opening an account with them. Once shared, the bank/financial institution becomes responsible for the customer data when utilized or shared with third parties. They will be held accountable for any misuse.

Overseas Student Ex Program imageOverseas Student Exchange Programs

College students attending overseas foreign exchange programs need to share their personal information with the faculty accompanying them and the overseas institution. This includes personally identifiable information (PII) shared with institutions. The educational institution that shares their student’s information is responsible for the data entrusted to them.

Penalties Paid for Non-Compliance

Let’s also look at how some noteworthy organizations have paid hefty fines for not complying with the GDPR

  • Google (€10 Million):
    The Spanish Data Protection Agency charged Google with a substantial fine for transferring data to third parties without a legal base and for hindering citizens’ right to erasure. According to the Agency, these contravene Articles 6 and 17 GDPR.
  • OTE Group (€2 Million):
    The largest technology company in Greece was responsible for poor data protection impact assessment and inadequate security measures. In addition, ΟΤΕ SA was found to have infringed Article 32 of the GDPR due to insufficient security measures with the infrastructure used in the context of the breach.
  • Capio St. Göran’s Hospital (€2.9 Million):
    The health provider violated Article 32 GDPR by failing to conduct a risk analysis. They also did not limit staff access to the medical records to what is required for the said member to fulfill their tasks.

How Seclore Can Help Comply with GDPR

The best way to address these use cases and approach GDPR compliance is to implement effective data protection strategies based on the business scenario.

The below list illustrates how Seclore can help organizations comply with various clauses of GDPR.

Article 25 – Data Protection by Design and by Default

“…The controller shall implement appropriate technical… measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed…the extent of their processing, the period of their storage, and their accessibility…”

How Seclore Data-Centric Security Helps:

Seclore integrates with various enterprise applications such as EFSS, ERP, and ECM. As a result, the documents downloaded from these applications are automatically protected by default.

Policies are inherited from the same system. This “policy federation” extends the security capabilities to wherever the data travels – even to another country.

Article 16 – Right to Rectification & Article 17 –  Right to Erasure

“The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.”

How Seclore Data-Centric Security Helps:

  • When a new version of a document is updated and circulated, the older version needs to be deprecated. When these documents remain with third parties, it becomes challenging to delete them using traditional technologies.
  • Using Seclore, the data owner can revoke access to all copies of previously distributed documents or even remotely modify their usage policies.

Article 30 – Records of Processing Activities

“1. Each controller and, where applicable, the controller’s representative shall maintain a record of processing activities under its responsibility…”

How Seclore Data-Centric Security Helps:

  • Seclore contains real-time, data-centric auditing capabilities.
  • The captured usage details include the nature of the activity (viewing, editing, printing), the user who performed the activity, the time, location, and much more.

Article 32 – Security of Processing

“The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymization and encryption of personal data; ….”

How Seclore Data-Centric Security Helps:

  • Seclore allows client-server communication to be controlled by multiple encryption layers with no single point of failure.
  • Organizations can align Seclore’s key exchange mechanism with their overall cryptography strategy and policies. With Seclore’s Bring Your Own Key (BYOK) feature, organizations can take control of data encryption themselves by generating their key pairs.

Article 46 – Transfers Subject to Appropriate Safeguards

“…a controller or processor may transfer personal data to a third country or an international organization only if the controller or processor has provided appropriate safeguards…”

How Seclore Data-Centric Security Helps:

  • With Seclore, data controllers can have complete control over their information – regardless of where it goes or is stored. The copies of the data within and outside the EU are governed by the same policies.
Control who and what Revoke access Track and Audit
Control Who and What Revoke Access Track and Audit

Seclore Data-Centric Security Allows You to

Seclore’s Data-Centric Security is ideal for addressing these critical aspects of GDPR and privacy regulations. It ensures encryption of the information at rest, in transit, and use, robust user authentication, granular usage controls, and activity tracking of the protected data.

Jasbir Singh is Partner and Managing Director of Seclore Europe, the leader in Rights Management. In this role, he leads Seclore’s sales and operations for the Europe region and is part of the executive management team setting the overall company go-to-market strategy. When he is not working, Jasbir enjoys spending time with his family, hiking and golfing.

Related Posts