Preparing for the General Data Protection Regulation: A 'Wait and See' approach is going to be pricey for US organizations doing business with the EU.
What is a data processing inventory?
A data processing inventory reflects how the business processes data and starts with listing the processing activities and their purpose. A data processing inventory is aligned with how the business works, making it is easy for the business to engage.
The GDPR creates an opportunity for organizations to limit their data inventory. Organizations need an inventory of their data processing operations, instead of all their data holdings and detailed inventory.
The GDPR sets very particular regulations on consent. With the new regulation coming in May 2018, companies need to be prepared for new GDPR consent mechanisms for their SAP test and QA systems. Anonymizing data in these systems make GDPR consent no longer mandatory. Natuvion's TDA tool offers a safe way to anonymize data so that it can be safely and rightfully used while expediting the process to full compliance and without the risk of facing GDPR fines.
With the new regulations taking place in May, the GDPR requires a Data Protection impact assessment (DPIA). A data protection impact assessment helps identify the risks when handling personal data and provides a structured process for your company. This assessment increases the transparency and provides a structure for unknown processes that involve dealing with personal data that reduces the risk of non-compliance with GDPR.
In the General Data Protection Regulation, the personal data definition is formulated very generally. Below, we list some examples. However, given the breadth of the regulation, it is not easy to list all the types of data that are considered personal.
The GDPR regulation applies to any kind of data concerning a determinate or determinable individual. Below we listed some examples we see at our customers but there are more;
- Personal employee data (name, address, date of birth, etc.)
- Information about customers, patients, clients (marketing databases, medical records, contact lists, any contact information)
- Data transferred to third parties (accounting books, credit registers, direct marketing)
- Non-public personal data of business partners and providers
- IP (Internet Protocol) addresses
- Cookie identifiers, or others such as Radio Frequency Identification (RFID) tags
- Camera records
- Iris scan
- User ID and passwords - access registration
- Smart meter data
- Biometric data
- Health data
- Membership of a labor organization
The best way to eliminate your risk is to anonymize the data in secondary systems. Anonymizing the data removes the need for data privacy consent and (with proof) removes the systems from GDPR compliance processing, while still providing the data for analysis or testing.