May was an interesting month. Google and Facebook were hit with 8.8 billion dollar lawsuits, Kanye West announced his support for Donald Trump, and we were all hit with a glut of “We’ve Updated Our Privacy Statement” emails flooding our inboxes. What does it all mean? Where do all these signs point? It means, of course, that GDPR compliance is upon us. Except that Kanye bit, there’s no explaining that.
As of May 25, 2018, the General Data Protection Regulation (GDPR) is in full effect. This means that companies around the world now have to be more careful about the way they handle personal data collected about residents of the EU to ensure the safety and privacy of this information. It also means this the perfect time to continue our series, Breaking Down the GDPR’s Data Protection Principles.
In this series of articles, we’ll explore the seven principles of data protection, how they relate to GDPR, and how you can use these principles to protect your company’s data and ensure compliance with GDPR and other regulatory guidelines.
In the first post, we covered the basics of the GDPR—what it is, what it’s about, and who it affects—as well as the first principle of data protection: the right to fair, lawful, and transparent processing of data. In the second post, we covered—you guessed it—principles two and three: Purpose Limitation and Data Minimization.
So let’s pick it up where we left off, with principles four and five: accuracy and storage limitation.
Personal Data Must be Accurate
According to principle four of the GDPR, any personal data collected or processed must be “accurate and, where necessary, kept up to date.” Furthermore, the GDPR mandates that “every reasonable step must be taken to ensure that personal data that are inaccurate," in regards to the purposes for which they are processed, "are erased or rectified without delay.”
So what, exactly, does that mean? In plain English: You can’t keep junk data, and it’s your responsibility to make sure that data is accurate and up-to-date. Otherwise, you must erase it. So say for example you’re working on a political campaign, and you’re using data from the last election cycle. Under principle 4 it would be your responsibility to ensure that you are using accurate and up-to-date data before mailing out to those constituents.
This touches on both the subject’s right to rectification and their right to erasure—both key provisions of the GDPR. Under the right to rectification, individuals have the right to have incorrect information corrected, and incomplete information completed. Under the right to erasure, they may request to have their data deleted, and expect you to do so in a timely manner.
The GDPR doesn’t go into great detail on the principle of data accuracy. Specifically, it does not outline what exactly “every reasonable step” to ensure accuracy means. But one thing is certain: If you don’t update or delete old, junky data, you could be severely penalized—which brings us to our next principle.
You Need to Limit Storage of Personal Data (I.e., Don’t Keep It Longer Than You Need It!)
Remember back in principle three, when I told you that holding on to any and all data just in case it may be useful down the road, won’t be compliant with GDPR? Well, the writers of that rule liked it so much that they wrote an entire data protection principle based on it: the principle of storage limitation.
According to that principle, personal data may not be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” If personal data is to be stored for longer periods, it must be proven that the data will “be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.”
Basically, its just like we said before, you may only keep data as long as you need it for the task for which it was collected. The useful life of the data may be far longer, but you may not keep it on, and reuse for other purposes (or sell it to someone else). This would prevent messy scandals like the one at Facebook/Cambridge Analytica, and is a fundamental right under the GDPR.
In order to comply with this principle, you need a policy in place that mandates retention periods, and documentation requirements for that policy that will let you audit for compliance. You should also frequently review the data that you old, and erase it when it is no longer needed.
How Managed File Transfer Will Help Your Business Comply
As noted before, if your business collects, stores, processes or transmits the personal data of EU residents, the General Data Protection Regulation (GDPR) will apply to you. With this much at stake, the best practice is to assure that the systems, user authentication, and encryption techniques involved in the transmission of personal data are secure and compliant with GDPR.
There are many ways that a reliable Managed File Transfer solution like MOVEit can help keep your company GDPR compliant.
With MOVEit, you can use automatic file integrity checking to validate that a file has not been altered, thus ensuring there are no costly mistakes that result in inaccurate data.
Likewise, you can use MOVEit’s built-in scheduler to schedule common pre- and post- data transfer tasks—such as checking for accuracy and validity, and examining and complying to retention periods.
MOVEit Secure Managed File Transfer also provides encryption of data in transfer and at rest, integration with your existing security systems and detailed logs of file transfer activity.
We’ll be back next week with another post on principles six and seven, but until then, check out these resources to learn more about GDPR and its implications.
And check out this video for a quick overview of the Seven Principles of Data