Cryptshare makes compliance easy.
Note pad with owl in it.

The European Union has for a long time seen data privacy as an important issue and has worked hard to create a unified legislation to protect the interests of all citizens of the EU whose data may be held for one reason or another inside or outside the EU.

This of course is not entirely new legislation - the original working drafts dating back to 1995 - however in the latest form it does include some significant new provisions with far reaching impact.

Several major and minor new terms will require careful consideration by all organisations, large and small, and we conclude several things having talked to representatives of the EU, to our customers and to customers of other technology vendors, in the USA, EU and APAC.

These are that:

  • Most organisations have implemented some of the protections they need, but few have covered all bases. There is work to be done.
  • Technology is key to solving the issues, but soft requirements (people and behaviour) cannot be ignored. Few organisations have allocated sufficient money or time to handle these new demands.
  • Use established technology such as e-mail, but solve known issues of large file handling and security first. Why? You can implement this fast and place a known solution in front of all users for a far more predictable win.
  • Non-EU based companies have much more to do and may be more vulnerable under scrutiny. Time to catch up.
  • This may be a great time to get rid of some legacy technology and replace it with more modern, cheaper, more focussed solutions that do what you need and don’t cost a fortune for what you do not need.
  • Severe penalties will galvanise actions, but this is leading to a feeding frenzy by vendors making unjustifiable claims about their “unique” approach. The mirrors are everywhere and the smoke is thick.

Central requirements of the GDPR

which you can fulfill with Cryptshare today already

Right of access by the data subject and right to rectification using Cryptshare

  • Encrypting data transfer to receiver possible
  • Ad-hoc use
  • Metadata is also encrypted

Right to be forgotten / Data Cleanup Rules

  • Limited storage time of the files on the server is configurable by client
  • "Data cemeteries" are avoided

Right to data portability and Cryptshare

  • Transfer of all file formats possible
  • Globally used means of transport by e-mail and universal use of browsers give access to all

Data protection settings at a high level ... including those for outgoing e-mails

  • Protective e-mail classification regulates the security settings for users in the enterprise
  • Central management of policy settings bring IT Compliance
  • Highly secure encryption is used at times

Data Loss Prevention (DLP)

  • Protection of the transferred files, in the case of a wrongly selected recipient. Only the correct recipient knows the agreed password.
  • Analysis by external DLP solution possible before or after data upload (reverse proxy server / pre-processing) meaning your DLP rules are applied.

Cloud services and the processing of data relating to orders (order data processing)

  • Operation of Cryptshare is possible on premise or on cloud service. Customer decides.
  • Order data processing does not apply when exchanging personal data but this can still be shared securely using Cryptshare

Whitepaper Download

GDPR Compliance - The latest changes

GDPR Compliance, a practical guide to getting on top of the latest changes to requirements with some suggestions of quick technological wins for your enterprise.

Table of contents:

  1. Management summary and conclusions
  2. Introduction
  3. What are the aims of the GDPR and what has changed?
  4. Data Subject Rights
  5. Privacy by Design
  6. Data Protection Officers (DPO)
  7. Some headlines of GDPR rules
  8. How prepared are organisations for these changes?
  9. What is the Scope of the regulation?
  10. What kind of data is included?
  11. What is meant by a one-stop-shop?
  12. Who is responsible and how are they held accountable?
  13. What about consent?
  14. What is the role of the Data Protection Officer?
  15. So what about technology to help handle these new demands?

Read our blog post about GDPR

The EU Data Protection Regulation - 6 Ws 6 questions, 6 answers.

The EU Data Protection Regulation: 6 questions, 6 answers.
Today, we briefly and concisely discuss an overview of the Who - How - Where - What - When - Why of the General Data Protection Regulation. Below in the article, the interested reader can find additional information on the European Data Protection Regulation (1).

Data protection in the EU: GDPR

WHAT is GDPR?

GDPR stands for the General (sometimes European) Data Protection Regulation. It is a regulation designed to give EU citizens stronger rights and better protection with regard to their data (2).

WHEN is the GDPR applicable?

From May 25th, 2018.
The General Data Protection Regulation came into effect on May 5th, 2016. More than two years later, national laws, such as the "Wet bescherming persoonsgegevens" (3) in the Netherlands for instance, will become obsolete and other regulations will only be applicable to a very limited extent.

WHY is the GDPR necessary?

Data processing (4) is becoming more and more digital and global. Existing country-specific laws regulating data protection were issued many years ago when the Internet was still at the very beginning of its development. Today, we need a regulation that is made for the digital world: cross-border and uniform. A regulation which regulates the rights of every EU citizen in the same way with regard to their data. Numerous recitals (5) have led to the creation of the GDPR.

WHO is affected and who must comply with the GDPR?

All EU citizens are "affected", meaning included, regardless of where they are. All companies which process  data (see 4) from EU citizens must comply with the regulation, regardless of where this is done.

HOW can the guidelines be followed?

Companies need to do everything they can to securely process data. For this, technology (6) (privacy by design and privacy by default) and know-how (7) are necessary.

... and HOW can this be checked?

High penalties (8) are designed to motivate companies to work hard to avoid data breaches. What is new is that they have 72 hours to bring violations to self-notification (9). The supervisory authorities and accredited bodies (10) carry out checks and investigate any complaints they may have. Companies must comply with their documentation and information obligations and provide appropriate evidence. This is controlled by the data protection officer of the company, now a required role. They have the task of informing their superiors and staff of deficiencies, making suggestions as to how things can be done better, and taking appropriate actions, e.g. by providing training for the staff or purchasing necessary hardware and software.

WHERE does the GDPR apply?

The regulation applies in the EU as soon as data from EU citizens are in the process of being processed, worldwide (11) and outside the EU for companies holding data on EU citizens.

  1. The EU General Data Protection Regulation can be abbreviated and circumscribed in various ways: GDPR, EU GDPR, General Data Protection Regulation, EU Data Protection Regulation, European Data Protection Regulation.

  2. The purpose of the GDPR is to protect personal data. This includes all data that enable the identification of a natural person. These include names, as well as data and identification numbers that might give away the identity of that natural person.

  3. "Wet bescherming persoonsgegevens" (WBP) regulates the handling of personal data in the Netherlands and protects the citizens' personality rights. It will be replaced by the EU Data Protection Regulation on May 25th, 2018. That is, in principle, EU law takes precedence over any national law. However, through opening clauses in the EU Regulation, the EU countries have the possibility to make national arrangements. The determination of the minimum age for effective informed consent of minors or for order data processing for instance.

  4. “‘processing’ means any operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;” (Chapter 1 Art. 4)

  5. There are 173 recitals that led to the drafting of the EU regulation.  among others these are: Ensuring a high level of data protection despite the increased exchange of data (Recital 6),     Harmonisation of the powers and sanctions (recital 11), and, in particular, to ensure the security of the processing (recital 83):

    "In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage."

    The communication solution Cryptshare allows you to encrypt e-mails, their metadata, and attachments on the transport path, and during caching on the server. In this context, it also provides full transparency through the traceable logging of all activities.

  6. Companies must implement data protection by means of technical design and privacy-by-default ("Privacy-by-Design" and "Privacy-by-Default"). Article 25 of the Data Protection Directive sets out the framework for the way in which the requirements of the GDPR are to be implemented in process design and in presetting. By assigning e-mails to a classification level using Cryptshare's "protective e-mail classification", companies fulfill the need to classify data – in a simple and secure way. In doing so, the required privacy-by-design and privacy-by-default approaches are met. The feature is configurable by the administrator according to the GDPR and company compliance requirements. Depending on the configuration, the user can or must select a pre-set protection class before dispatch, in order to be able to send the mail. For certain messages the admin may leave it to the sender to assign a classification - it can then be sent "without classification", too. Depending on the selected classification, the system takes appropriate measures for the protection and identification of the data.

  7. Companies, authorities and public authorities must designate a data protection officer. A data protection officer is involved in all matters related to the protection of personal data. He teaches and advises his supervisors and the employees of his company with regard to the duties and standards which they have to meet according to GDPR and other data protection regulations. He supervises compliance, sensitizes, conducts or organizes trainings and evaluates them. The data protection officer also cooperates with the supervisory authorities. (Chapter 4, Section 4).

  8. Within 72 hours after the company has registered a breach of the regulation, they must notify their supervisory authority in charge, depending on the extent of the breach they must also inform their customers. A maximum penalty of 4% of the turnover worldwide or € 20 million - whichever is higher – might have to be paid. This is not only painful but might threaten the existence of companies.

  9. In order to prevent from self-notification the data protection officer is responsible, among other duties, to take all appropriate measures to create the conditions in the enterprise to comply with the Regulation. Therefore, internal strategies must be defined and measures must be taken, which in particular meet the principles of data protection by means of technology (data protection by design) and data protection-friendly pre-settings (data protection by default). In addition, citizens themselves will have the right to know what data the company processes about them. They may request that their data be corrected or completely deleted (right to be forgotten Chapter 3, Art. 17).

    They also have the right to receive their data "in a structured, standard, machine-readable format" in order to make it available to another company. The right to data portability Chapter 3, Art 20 also allows EU citizens to transfer their data directly from one company to another "as far as it is technically possible." Here, too, the software solution Cryptshare can help you to transfer digital data - no matter what size and file format – securely and easily.

  10. Local supervisory authorities carry out inspections. When it comes to cross-border processing, the new so-called "one-stop shop" procedure applies: that is, the authority at the head office of the main branch has a controlling responsibility. Companies no longer have to deal with supervisory authorities in several EU Member States, but have only one contact person (Article 56 DS-GMO). Monitoring of compliance with Regulations of conduct may also be carried out by a body accredited by the supervisory authority. The body must meet numerous criteria, including: It must have the appropriate expertise and be independent.

  11. The scope of the EU data protection law is considerably extended. In addition to the branch principle, the new market location principle also applies. (Article 3 (1) and (2)). In addition to data processing branches in the EU, companies that do not have their headquarter in the EU, but need to process data from EU citizens need to comply with the GDPR.

Conclusion

The European General Data Protection Regulation describes the rights of EU citizens with regard to the handling of their personal data and the obligations of data processing companies, regardless of where they are located. Now is the time for companies to make all the necessary arrangements and to make their (data processing) processes technically consistent with data protection, to train their employees in the handling of personal data and to provide them with the right conditions and tools.

Sharing is caring