You are here


GDPR: Complying with the EU’s New Data Privacy Law

Posted by Accellion Team
Protecting EU citizens' data with GDPR

We live in a world marked by extreme data generation and accumulation, fueled by our interaction with an increasing number of applications, systems and devices. It's hard to believe but IoT development and adoption is set to drive this increase in data generation exponentially further.

Significant security and compliance challenges arise however when data is collected, ana­lyzed, and shared, especially when data sharing crosses organizational boundaries. In industries such as financial services and healthcare, industry-specific regulations mandate that customer data be kept private and safe from tampering or illicit access.

But not all privacy regulations are limited to specific industries. Some laws and regulations require all customer data to be protected, regardless of industry. The most sweeping and consequential of these non-industry-specific data privacy regulations is the European Union’s new General Data Protection Regulation (GDPR). The GDPR was passed by the EU Parliament’s Civil Liberties Committee on April 14, 2016 and goes into effect on May 25, 2018, becoming the law of the land in all 29 EU member states.

Building on the EU Data Privacy Directive (95/46/ec), the GDPR is a bold attempt to create a robust legal framework for protecting data privacy in the age of social media, geographically distributed cloud-computing services, and broad government surveillance. It affirms every EU citizen his/her right to privacy and establishes strict requirements for organizations collecting or processing the personally identifiable information (PII) of EU citizens.

Preserving Personally Identifiable Information

The concept of PII is central to both the Data Privacy Directive and the GDPR. Here’s how the GDPR defines this important term:

any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Examples of PII include:

  • A CRM database record with a customer’s name, address, and phone number.
  • The IP address or MAC address of a citizen’s smartphone, tablet, or laptop.
  • A passport number.
  • A photo that can be used for facial recognition.
  • A citizen’s post on a social media platform such as Facebook about politics, religion, or health status.
  • Genetic or biometric data that can uniquely identify an individual, including fingerprints, signatures, voice recordings, and even patterns of keystrokes.
  • A description that indirectly identifies an individual, such as “the company’s sales representative for the Paris region.”

By standardizing data protection across all member states, the GDPR affirms an EU citizen’s right to know what PII is being collected by other parties. It grants citizens the right to know why PII is being collected, how the PII is being used, and the purpose of its use. In most cases, the regulation also affirms citizens’ right to have their PII deleted.

Boards of directors, IT organizations, security teams, and compliance teams in global enterprise should be preparing now to comply with the GDPR. Failure to comply could result in steep financial penalties—as high as 4% of an organization’s annual revenue—and lasting damage to brand reputation.

Private Cloud Content Collaboration and the GDPR

Content management, mobility, and security are all critical to compliance with the GDPR. A failure to comply not only invites significant fines but also customer churn and brand erosion. Thankfully, the kiteworks secure content collaboration platform by Accellion enables organizations to comply with the GDPR.

The kiteworks platform provides an enterprise-wide layer of data security and control, integrating with and enforcing security policies for all on-premises and cloud-based content systems in the enterprise such as Microsoft SharePoint and OpenText as well as to cloud-based services such as Box, Dropbox, and Google Drive.

Security features include encryption of data at rest and in transit, role-based access controls, secure containers that protect private data like PII on mobile devices from unauthorized access and malware infection, and special controls, such as view-only content, that ensure that confidential content remains confidential. In addition, all content sharing in kiteworks is logged and monitored. CISOs and IT administrators can review user activity to ensure that PII is being accessed only by authorized users, ensuring compliance with regulations like the GDPR.

Because kiteworks is designed for enterprise-grade scalability and flexibility, it can accommodate any infrastructure strategy: on-premises, IaaS cloud, private hosting by Accellion, or any hybrid scenario. Nodes can be distributed across the globe to reach remote offices, ensure performance, and honor data sovereignty regulations. IT organizations can manage and enforce policies to protect data and ensure regulatory compliance, while trusted business users can manage select con­tent and content-sharing to promote productivity and ensure the right level of trust.

To learn about the kiteworks solution for private cloud content collaboration and how kiteworks can help your organization comply with the GDPR and other data privacy regulations, please con­tact Accellion.