The General Data Protection Regulation (GDPR) that becomes effective end of May this year will have severe impact on how companies and government organizations have to operate when dealing with information from citizens and other subject in the European Union. We all know that non-compliance with this new and strict data-protection regime comes with severe penalties, so doing nothing, is not an option.
There simply is no one solution to address all aspects of the GDPR. The new regulation covers too many aspects of data protection, privacy and information rights. There is the right to question an organization about the possession of one’s personal information.
Everyone has and can exercise “the right to be forgotten”. There are severe cyber-security requirements (mandatory data encryption, data security measures, report of breaches, informing subjects of data breaches, etc.), data processing rules, the need to redact or pseudonymize sensitive information when there is no explicit need to store such information and the need to ask for and save prior consent before certain personal information is collected and stored.
No silver bullet
And there are still many questions about the practical implication of several requirements that still need to be answered. So, no Silver bullet. But there are many things organizations can do to address at least the most notorious GDPR requirements. From May 25 onwards, every organization should be able to say yes to at least the following questions:
- Are you able to redact and pseudonymize personal information before it is disclosing to third parties?
- Are you able to clean up older archives containing personal information for which no business purpose exists or no explicit permission has been granted?
- Can you store your company’s data in different jurisdictions?
- Can you inform affected individuals after a data breach in time?
- Are you able to respond to “the right to be forgotten” request?
If your answer is still no, we can help you to address these most urgent requirements.
Redaction and pseudonymize of PII
Many business transactions include transfer of large data volumes that inevitable contain personal data. When dealing with data in case of eDiscovery, Arbitration, Public Records Acts, Answering Regulatory Requests, M&A (Virtual Data Rooms) or (internal) investigations, ZyLAB’s eDiscovery technology can be used to redact and pseudonymize personal information before it is disclosed to a third party such as US-regulatory agencies or parties bidding via a virtual data room.
Cleaning-up old archives with PII
The same redaction and pseudonymization tools can be used to clean-up old archives that are often subject to regulatory requests or eDiscovery. Storing them in ZyLAB ONE eDiscovery SaaS solution offers you the best protection available for the most cost-effective pricing.
Secure data storage in different jurisdictions
As of May 2018, ZyLAB’s ONE eDiscovery SaaS solution provides optionally GDPR compliant, secure and encrypted data storage. By using the latest security and encryption standards, this storage location of your data will be a much more cost effective alternative for any in-house solution. Not just for data under the GDPR, but also under the US-EU Privacy Shield regulations.
ZyLAB ONE eDiscovery provides data centers in the jurisdiction of your choice. At the same time, you can benefit from the scalability benefits of a SaaS solution, sharing expensive resources and software where this is possible and secure. ZyLAB ONE eDiscovery provides two-factor authentication and encrypted VPN data access, allowing you and your team secure access from any location.
Even when you do not feel comfortable with any SaaS solution, ZyLAB can also provide the exactly the same solutions in an on premises or private cloud environment.
Inform affected individuals after a data breach
Should you become the victim of a data breach (or should we say when you become …), then ZyLAB can help you to immediately locate the names of the subjects that need to be informed. By using advanced text-mining technology, we can quickly generate a list of individuals that you can inform.
Responding to “the right to be forgotten” request
The GDPR affords data subjects a new right: the right to be forgotten. This right allows data subjects to ask companies that have collected their personal data to erase it, and, if the data is public, to require other data controllers to do the same.
The right to be forgotten can be executed by any citizen in the European Union and requires that you and your organization identify all information that is stored on such an individual and remove (or redact) it.
The GDPR-concepts “Right of Access” and “Right to be Forgotten” are very similar to a FOIA or PRA request. Using ZyLAB ONE eDiscovery to locate relevant records, the use of advanced analytics to cull data and pre-identify content based on text analysis and remove duplicate records deliver huge time and cost benefits.