Key data protection measures for GDPR compliance
Given the trending global awareness of big data and its potential, businesses tend to store as much end-customer data as possible. This can be problematic when considering the latest EU GDPR legislation.The General Data Protection Regulation (GDPR) extends the scope of what qualifies as personal and sensitive information. The updated data privacy definition focuses on “identification of any type”. Therefore, not only name, gender or address, but also other personal attributes like social or economic information is under special protection.
The most straightforward key data protection measures should follow a general “minimum set of information kept for a minimum period of time” rule. The following three principles are crucial to adhering to the new legislation:
First of all, there is a need to check if the data has been acquired legally. To assure GDPR compliance, a clear and affirmative consent is required – enforcing active opt-out or treating passive inactivity as consent are not allowed anymore.
Secondly, data will need to be enriched with its validity period and any outdated information should be deleted as soon as possible.
Finally, to minimize the risk of breaching the GDPR law, data should not only be encrypted, but also fragmented if possible, meaning that attributes which combined together allow personal identification shall be stored separately and joined using non-obvious indices.
In summary, we believe the top three key data protection measures are:
- Ensure all GDPR data has a valid consent.
- Ensure no outdated GDPR data is stored.
- Ensure all GDPR data is encrypted and/or fragmented.
What constitutes personal data is evolving and so too should the measures necessary to keep it safe, secure and private.Together these principles can help organisations navigate the forthcoming legislation, however continual revisions will be necessary to ensure compliance. Although they may seem daunting and time consuming, effective implementation will result in efficiencies and increased security in the long run.
The GDPR takes effect in May 2018 and is applicable to any organization that handles the personal data of any European Union resident or citizen, regardless of where that organization is located.