What is GDPR & Why & Who Needs To Comply?
What is GDPR?
The GDPR is uniform law across the EU and beyond, with new requirements for documenting IT procedures, performing risk assessments, rules on breach notifications, and tighter data minimization – establishing a single law to enforce European data protection rules and regulation and the right to personal data protection.
Who Needs To Comply With GDPR & Why?
Who? The GDPR applies to EU based companies and companies that collect data of EU citizens, regardless of their physical presence in the country
Why? The GDPR has a tiered penalty structure that will take a large bite out of offenders’ funds as the rules apply to both data controllers & processors.
What type of data is protected?
Personal data – or as it’s called in the US, personally identifiable information (PII). This include names, addresses, phone numbers, account numbers, personal data documents and more recently email and IP addresses. PII is available in the 3 basic pillars of a business entity - their customers (in CRM), their employees (in HRMS) and their documents (in DMS)
What are the fine levels?
Violations of Articles: 8,11, 25 to 39, 42 and 43: €10m or up to 2% worldwide annual turnover of proceeding year, whichever is higher
Violations of Articles: 5,6,7,9,12-22, 44-49, 58, and member state laws adopted under Chapter IX :€20m or up to 4% worldwide annual turnover of proceeding year, whichever is higher
How does LuitBiz help you become GDPR compliant?
Fine
Article
What it means
How LuitBiz helps
25: Data protection by design and data protection by default
Data Minimization, user access limits and limit period of storage and accessibility
Identify who has access and who should have access to regulated documents, customer data and employee data; manage permissions; manage risks like group access; user monitoring, customer data transfer, encrypted directories and data, etc.
30: Records of Processing Activities
Implement technical and organizational measures to properly process personal data.
Identify, discover, and classify sensitive and GDPR eligible documents via full text search functionality; classify customer data, monitor, analyze, and report on user activity on documents, customer and employee data; establish and automate document & data retention policies; generate reports based on type of documents & data, access activity, and more.
17: Right to Erasure and "to be forgotten"
Be able to discover and target specific data and automate removal.
Identify, discover, and classify sensitive and GDPR eligible documents & data; define and automate document & data retention policies. Configure end-to-end document & data deletion rules and easily implement and enforce them for document & customer / employee data retention or deletion.
32: Security of processing
Ensure least privilege access; implement accountability via data owners; provide reports that policies and processes are in place and successful.
Reduce risk and manage access controls: automate and impose document workflows, customer data approval workflows, employee activity workflows and proactively enforce ethical walls and security policies.
33 & 34: Data breach notification
Prevent and alert on data breach activity; have an incidence response plan in place.
Document & data activity monitoring, complaints management, access monitoring, detect suspicious logins, ability to send breach notifications to Supervisory Authority (SA).
35: Data Protection Impact Assessment
Assessment of the purpose, scope and risk associated with processing private data and documents.
Ability to hide documents and keep them private, document access discovery and monitoring, customer and employee data protection, ability to publish DPIAs for employee reference.
15 & 16: Right to Data access and rectification
Be able to give access and rectification rights to data subjects regarding their data and documents.
Ability to retrieve documents & data in seconds and email them to the concerned data subjects for rectification, historical data on emails sent to data subjects regarding their documents.
44: Data transfers to third country or international organization
Permit transfers only to entities in compliances with regulation.
Document & data access policy enforcement via LuitBiz access control.