To say that the General Data Protection Regulation (GDPR) is a bit subjective would be the understatement of the year. The ticking clock that is GDPR gets a little bit louder every minute. For those organizations that are prepared for GDPR, the transition will be a little bit easier. For those that haven’t, now is the time to start, with one of the most important requirements needing to be addressed being Article 25. Article 25 requires data controllers to implement “Data Protection By Design & Default.” Let’s take a moment to break that down.
Data Protection By Design
Forget about technology for a minute — since the only technical guidance that GDPR is going to give you is “encryption,” “pseudonymization,” and, the bonus term in Article 25, “data minimization.” Take a step back and look across your organization. The non-technical part of Article 25 requires organizations to implement appropriate controls to ensure data protection (meaning security and privacy) is a core component the lifecycle of an organization’s products, services, procedures, and technical solutions.
Data Protection By Default
The other part of Article 25 requires that only the necessary amount of data for the purpose of processing is processed. This also has implications for the amount of data that is collected, the extent to which the data is processed, the length of time it is stored, and its accessibility. The key here is that the collected and processed data is not accessible to others without the consent of the data subject.
Where to start?
As I have been writing for the last year about GDPR, there is no question that any good approach to complying with GDPR starts with understanding your organization’s data and all the places that it lives. Beyond that, and specifically with compliance with Article 25 in mind, organizations should focus on:
- Encryption that allows data controllers to enforce data security and privacy with no access from downstream data processors or other third parties
- Data protection that allows for the appropriate and measured collection of data so as to not overcollect or overprocess
- Privacy controls that allow data subjects the ability to control access to their own information on their terms
- Organization policies and procedures that take security and privacy into account throughout the entire data lifecycle
To learn more about getting your organization ready for GDPR and how Druva can help, access this The GDPR Compliance Guide for business