The General Data Protection Regulation (GDPR - EU Regulation 2016/679) is a regulation laid down by the European Commission to strengthen and make uniform personal data protection within the European Union (EU). The text, which was published in the Official Journal of the European Union on 4 May 2016 and came into force on 25 May of the same year, toke effect on 25 May 2018.
The text also tackles the theme of exporting personal data outside the EU and obliges all data controllers (including those based outside the European Union) that process the data of European Union residents to observe and fulfil the obligations laid down. The main objectives of the European Commission in the GDPR are to give control of personal data back to the data subjects and to simplify the legislation that regulates international affairs, by unifying and making uniform the privacy legislation within the EU.
As of 25 May 2018, the GDPR replaces the Data Protection Directive (officially Directive 95/46/EC)(2), issued in 1995, and abrogates the regulations of the personal data protection code (Legislative decree no. 196/2003), which will be incompatible with it.
The GDPR is therefore the most important change in data privacy regulation over the past 20 years and was created with the intention of harmonizing privacy laws all over Europe, protecting and governing the protection of the person data of EU citizens and regulating the way in which organizations across the entire region approach data privacy.
The main characteristics of the legislation are:
- data subjects’ right to processing of personal data;
- if the organisations of member countries fail to fulfil their obligations, fines are applicable of up to 20 million euros or 4% of the company’s global annual turnover;
- there is an obligation to give notification of any violations of personal data (Data Breaches);
- there is an obligation to obtain express consent for the storage of personal data of European citizens, the purpose of which is their profiling.
The compliance obligation requires a holistic approach to the processing of data that may represent an excellent opportunity to create/increase the culture of a single vision of information within companies. The new approach to data processing, seen as the company’s main value, constitutes the essential condition for a proactive and effective synergism between the corporate functions, which will thus have the possibility of using the information to obtain a clear knowledge of what is happening within and outside the company. A transformation that will be simpler with the support of a partner capable of offering not only technologically innovative solutions but also process and regulatory consulting to draw up a sustainable roadmap for the change.
To help our customers fulfil the obligations set out in the GDPR, Exprivia provides solutions that can support customers in transforming the burden of GDPR into a growth opportunity for their organisation.
What data are owned? Who has access to them and for what purpose?
These are the main Data Governance questions that Exprivia answers through a set of solutions that are capable of:
- assuring compliance – possibility of generating and managing an integrated view of the main assets for guaranteeing compliance with regulations such as BCBS 239 and GDPR;
- role assignment;
- managing the process register;
- facilitating collaboration between business and IT.
Where are all the data concerning the field of application of the GDPR?
Exprivia solutions enable the company to manage Sensitive Data Discovery & Analysis through:
- full visibility of sensitive data;
- adherence to sensitive data security policies;
- dashboard, views, reports and warnings;
- integration of the security infrastructure;
- control of user accesses and activities;
- risk analysis.
Data Masking & Archiving
Data Masking & Archiving solutions make it possible to manage the concealment and storage of sensitive data, with different approaches, depending on the level of risk and impact on IT systems.
- dynamically and persistently mask sensitive data;
- file sensitive data in a secure data store;
- manage the retention and expired data elimination policies in compliance with the right to be forgotten.
Master Data Management
MDM solutions can be used to manage consent to the processing of personal data and the right to data protection with:
- a unique view of the physical person;
- the collection and distribution of consent decisions regarding personal data expressed by users;
- the management of the Subject Access Request (correction, objection, portability, right to be forgotten).