General Data Protection Regulation (GDPR) is a piece of regulation intended to improve and homogenize data protections within the European Union (EU). The authors of the regulation want to give citizens greater control over their personal data and make it easier to regulate data handling by making regulations consistent across the union’s 28 member states.
Because the GDPR deals with the protection of personal data, the regulation attempts to clear up some ambiguities regarding what data types fit within the scope. The current Data Protection Directive in the EU defines personal data as “any information relating to an identified or identifiable natural person.” However, this regulation has left open a few issues that the GDPR hopes to resolve.
In clarifying the definition of personal data, this new regulation’s authors have widened the net to include such data types as online identifiers, location data, IP addresses, pseudonymous data, biometric data, and genetic data.
The GDPR implements a number of measures to enhance protection of personal data.
- Right to Erasure: This stipulates that the subject of personal data has the right to request their personal data be erased for several reasons.
- Privacy by Design: The regulation requires organizations to implement processes and technologies that make data protection and minimal use default operating procedures. This includes the requirement to “Pseudonymize” data as quickly as possible, by encryption or other means.
- Privacy Impact Assessments: Organizations may be required to assess the impact to personal data protection involved in a given project.
- Data Protection Impact Assessments: Organizations controlling personal data must also evaluate the risk to the protection of an individual before processing data.
- Data Protection Officers: Organizations that systematically monitor personal data or process high volumes of protected data must appoint a Data Protections Officer.
- Supervisory Authorities: Now that a single set of rules will govern data protection in the EU, member states will be responsible for establishing their own independent supervisory authorities.
- Rapid Data Breach Notification: GDPR rules require organizations to move swiftly to disclose knowledge of a breach. Unlike previous laws, which required notification only if the breach was potentially damaging to data protection, the GDPR stipulates this requirements includes all breach events. The state’s supervisory authority must be notified within 72 hours, and undue delays will be penalized.
- Data Portability: An individual must be able to transfer their data to another data controller, without the organization interfering.
- Retention of Data Processing Files: The organization managing data must retain records on the data it processes, including reasoning for why that data was used.
Failure to comply with GDPR regulations can result in warnings, audits and even fines of up to 20 million euros.
Why GDPR Matters to American Companies
Although the General Data Protection Regulation measures are to be enforced within the European Union, its scope extends not only to EU-based organizations, but also to international companies that process data within the union. This means many companies in the United States doing business with certain European countries must also maintain compliance.
While the GDPR has significant overlap with the previously adopted NIS Directive, the latter involved a more limited scope, which made it less of a concern for companies outside of the EU. The NIS Directive, for instance, dealt only with providers of essential services or digital service providers, while the GDPR involves any organization processing personal data. And the NIS Directive limited breach notification requirements to events posing significant risks to data protections, while the GDPR extends its scope to all breach events.
Sumo Logic and GDPR
Sumo Logic has received the highest possible GDPR readiness rating from Netskope, the leader in cloud security, as of Dec. 6, 2017. Sumo Logic’s data storage, encryption, and data processing standards earned a High readiness rating—despite the bulk of cloud service providers not being GDPR-ready.
“While most modern businesses are either fully migrated into the cloud or running on a hybrid model, many employees are taking advantage of the benefits of cloud flexibility by using unsanctioned—and possibly risky—cloud apps and services in order to get their jobs done,” said Amol Kabe, vice president of product management at Netskope. “Sumo Logic is an exception to this case. They are taking are a number of steps to not only protect their machine data analytics platform, but also ensure due diligence that vendors they’re working with will be GDPR compliant, setting the industry standard for how to do GDPR compliance right.”