When the General Data Protection Regulation (GDPR) went into effect in 2018, companies doing business with European Union (EU) citizens scrambled to ensure they were in compliance, implementing changes to be in line with privacy requirements. However, this should not be considered a once-and-done task.
Companies and organizations collecting and storing personally identifiable information (pii) should undertake regular audits of their data collection processes to verify that they are still in compliance with GDPR.
The GDPR isn’t just about providing people with control over their data: what is retained, how it can be accessed, and how it can be deleted from the system. It also benefits those organizations that are collecting and storing that data, since it establishes protocols surrounding the classification, storage, security, and individual control of the information.
This is all the more important given the continuing rise in data breaches. According to Statista, in the U.S. alone there were 471 million records exposed in 2018 and another 164.68 million in 2019.
This makes it even more critical that companies take all the necessary steps to ensure that personal data are secured or face significant financial penalties, not to mention damage to their reputation. Following GDPR data protection principles can help with securing your data.
Regular audits of data processing procedures involve examining both the technical and human elements. A failure in technology, physical theft of equipment, deliberate network attacks—malware, phishing, ransomware—or improper use or actions by employees, whether malicious or unintentional, can result in millions of sensitive records being exposed.
A thorough assessment of all processes and systems can identify how any solution will impact customer content, data portability, access rights, and data erasures. At the same time, it will ensure that the platform currently being used can deliver near-zero RTO (Recovery Time Objective) and immutable snapshots to comply with GDPR requirements.
When considering what areas to audit, the following are among those the Information Commissioner’s Office (ICO), the UK's independent body set up to uphold information rights, recommends reviewing and if needed, updating:
Data Retention, Access and Deletion Policies—Clearly written public-facing policies explaining how personal data is being collected and used, how to control the limits of its use, and how to request access to and deletion of the data
Data Management, Classification and Storage—Procedures for encrypting pii data, classifying it into one of three standard classifications, identifying data location within the system, and establishing methods for proper retrieval as well as providing for both local and global redundancies in case of site, component or software failure, or external attack
Disaster Recovery—Comprehensive plan for recovery from data breaches, including technical capability of single-click method of restoring data files to any point-in-time, whether stored on-premises or in the cloud, as well as notification to authorities and individuals whose information may have been compromised, and response to individual request for data changes or deletion
Security Measures—Security protocols for digital and paper-based sensitive records, including proactive monitoring to identify potential vulnerabilities, data breaches, and unauthorized access attempts
Training—Employee training on all aspects of GDPR protection principles and internal policies regarding data management
By establishing a regular schedule of audits, companies can ensure that they are meeting GDPR regulations while safeguarding the sensitive data that individuals have entrusted to them.
Rubrik makes GDPR compliance simple and efficient, with a single platform that delivers data management on-premises and in the cloud. It enables users to automate data protection policies and expiration while providing full transparency regarding where the data resides and how policy compliance is met across the entire infrastructure.
Learn more about how Rubrik can help you meet GDPR compliance and privacy requirements.