The new General Data Protection Regulation (GDPR) will take effect on the 25th of May 2018.
This regulation has the goal to protect the European citizen’s personal data. This should be achieved by regulating what information is stored and how it’s processed on one hand and by improved security measures on the other hand.
Service providers or ‘data processors’, who were not previously subject to the more restrictive aspects of data protection legislation, will also now be affected. Organizations that use third parties will have to ensure that their data provider complies with the regulations as, if there is a breach, both data processor and data controller will be considered to have shared liability and will be fined. (1)
As summarized on ComputerWeekly.com following facts need to be noted down by businesses(2):
- GDPR applies to all: Any company that works with information relating to EU citizens will have to comply with the requirements of the GDPR.
- GDPR widens the definition of personal data: The GDPR considers any data that can be used to identify an individual as personal data such as generic, mental, cultural economic or social information.
- GDPR tightens the rules for obtaining valid consent to using personal information: “In the future, it will be more important than ever for organizations to explain exactly what personal data they are collecting and how it will be processed and used. Without valid consent, any personal data processing activities will be shut down by the authorities,” says analyst Karsten Kinast.
- GDPR makes the appointment of a DPO (Data Protection Officer) mandatory for certain organizations: The GDPR requires public authorities processing personal information to appoint a data protection officer (DPO), as well as other entities, when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data”.
- GDPR introduces mandatory PIAs (Privacy Risk Assessments): “This means before organizations can even begin projects involving personal information, they will have to conduct a privacy risk assessment and work with the DPO (Data Protection Officer) to ensure they are in compliance as projects progress,” says analyst Karsten Kinast.
- GDPR introduces a common data breach notification requirement: The GDPR harmonizes the various data breach notification laws in Europe and is aimed at ensuring organizations constantly monitor for breaches of personal data.
- GDPR introduces the right to be forgotten: The GDPR introduces very restrictive, enforceable data handling principles, said Kinast. One of these is the data minimization principle that requires organizations not to hold data for any longer than absolutely necessary, and not to change the use of the data from the purpose for which it was originally collected, while – at the same time – they must delete any data at the request of the data subject.
- GDPR expands liability beyond data controllers: “The GDPR also covers any organization that provides data processing services to the data controller, which means that even organizations that are purely service providers that work with personal data will need to comply with rules such as data minimization,” said Kinast.
- GDPR requires privacy by design: All software will be required to be capable of completely erasing date, which will be a challenge for a lot of software engineers.
- GDPR introduces the concept of a one-stop shop: In the past, Ireland has been popular with large US corporations, such as Google, because of the country’s relatively permissive data protection authority, said Kinast. “However, that all disappears with the GDPR, which allows any European data protection authority to take action against organizations, regardless of where in the world the company is based,” he said.
Even though Awingu acts as a bridge towards existing backend infrastructure such as file services, authentication services, Application services, etc., it can still help to comply with the GDPR by:
- Enabling Multi-Factor authentication: Awingu comes out of the box with the possibility to enable Multi-Factor Authentication. This can be the built-in One Time Password solution or by integrating with various 3rd party MFA providers
- Facilitate Encrypted communication: We highly encourage to encrypt all data communication. This can be achieved by using an SSL offloader or by enabling SSL offloading capability in Awingu
- No local footprint: Since Awingu runs completely in the browser there is no local footprint on the end device. Files and applications remain in the safe realm of the enterprise. Due to this nature, we have automatically increased protection against (ransomware) viruses.
- Eliminating the need of Shadow IT: Awingu allows to share files and applications and enabling bringing this to any device.
- Audit logs: Awingu keeps track of logins, application sessions, connected SaaS sessions allowing to detect anomalies and alert in case of.
In case you have any questions on how Awingu can help your organization to comply with the regulation, please do not hesitate to contact us.