As you’ve probably surmised from the glut of “We’ve Updated Our Privacy Statement” emails flooding your inbox, GDPR compliance is upon us.
As of May 25, 2018, the General Data Protection Regulation (GDPR) is in full effect. This means that companies around the world now have to be more careful about the way they handle personal data collected about residents of the EU to ensure the safety and privacy of this information. It also means this the perfect time to continue our series, Breaking Down the GDPR’s Data Protection Principles.
In this series of articles, we’ll explore the seven principles of data protection, how they relate to GDPR, and how you can use these principles to protect your company’s data and ensure compliance with GDPR and other regulatory guidelines.
In the first post, we covered the basics of the GDPR—what it is, what it’s about, and who it affects—as well as the first principle of data protection: the right to fair, lawful, and transparent processing of data. In this post, we’ll continue right where we left off, with principles two and three: purpose limitations and data minimization.
The GDPR Mandates Purpose Limitation of Collected Data
Under the second data protection principle of the GDPR [Article 5, clause 1(b)], it’s mandated that personal data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.” Any further processing of that data should not be “incompatible with the initial purposes.”
In plain English, this means you need a legitimate, lawful purpose for collecting and processing user data—no more scooping up data wholesale just because you can. If you collect data that doesn’t have a specific purpose, you may find yourself out of compliance. Likewise, once you’ve collected and processed data for your purpose, you may not process that data for an unconnected purpose. For example, under the GDPR, data collected for research purposes could not be processed and sold for marketing purposes
Under the GDPR, personal data is any data which by itself, or when combined with other data that the possessor can likely access, can be used to identify an individual. That means name, phone number, IP address, email… the whole gamut.
In the recent Cambridge Analytica/Facebook scandal, which has brought Mark Zuckerberg to testify in front of members of U.S Congress and the E.U Parliament, it was revealed that British political consulting firm Cambridge Analytica used data collected for research purposes to target millions of Americans and EU citizens for political advertisements during the 2016 election cycle. Under the new restrictions enforced by the GDPR, Cambridge Analytica and Facebook would be subject to hefty fines—up to 4 percent of annual turnaround, worldwide. There is currently no such purpose limitation law on the books in the US.
Businesses Must also Minimize Collected and Stored Data
One of the most significant ways the GDPR is transforming data collection and processing is the principle of data minimization, under section 5, clause 1(c). According to this principle, all collected personal data must be “adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.”
This is closely related to purpose limitation but differs in that it requires the restriction of which data is stored, as well as the data that is collected. Essentially, in order to be GDPR-compliant, you must implement data minimization processes and rules at every stage of the data lifecycle—from collection to processing, storing, and use. At every point in the process, you should be asking yourself: Do we really need this data? If the answer is no, you should delete the information. This process should be documented with a provable audit trail.
Additionally, data minimization means you need to think about how long you intend to store data for. For example, if you need data for a project that will last seven weeks, you must delete that data when the project is finished, and the data is no longer necessary. Currently, it’s a common practice to hold on to any and all data just in case it may be useful down the road. Be warned: this will not be compliant with GDPR.
In order to stay compliant with GDPR, ask yourself the following questions when collecting data:
- How will I use this data?
- Can I achieve my goal without collecting this data?
- How long will I need to keep this data to achieve my goal?
How MOVEit Can Help You Comply with GDPR Principles Two and Three
If your business collects, stores, processes or transmits the personal data of EU residents, the General Data Protection Regulation (GDPR) will apply to you. With this much at stake, the best practice is to assure that the systems, user authentication, and encryption techniques involved in the transmission of personal data are secure and compliant with GDPR.
There are many ways that a reliable Managed File Transfer solution like MOVEit can help keep your company GDPR compliant.
With MOVEit, you get a form-based solution that provides standardized, secure, and documented data transfer tasks, so you can keep track of where your data is going, who’s using it, and who’s viewing it. This is essential for data minimization, as it lets you have full visibility into your data lifecycle. MOVEit’s comprehensive analytics will give you full insight into file-transfer activities, to assure on-going compliance with the GDPR’s data protection principles.
MOVEit Secure Managed File Transfer also provides encryption of data in transfer and at rest, data integrity checks, integration with your existing security systems and detailed logs of file transfer activity.
We’ll be back next week with another post on principles four and five, but until then, check out these resources to learn more about GDPR and its implications.
And check out this video for a quick overview of the Seven Principles of Data