The GDPR Nightmare
What might a customer request?
Under Article 15 of the GDPR, a data subject is entitled to make a request for access to their own personal data, given proof of their identity. A company would need to reply to such a request within one month, as required under Article 12. An organisation could be asked to do the following:
1. Confirm whether personal data has or is being processed. The owner of the data is entitled to all information, regardless of whether this is in a database, including all forms of media stored.
2. Provide the names of the countries in which the personal data is stored or accessible from, including details of where cloud servers are located that have processed their personal data in the last 12 months.
3. Provide a copy of the personal data that has or is being processed.
4. State the specific uses they have made, are making or will be making of the data.
5. Give a list of all third parties who they have shared or may have shared an individual’s personal data with, and details of any safeguards in relation to this.
6. Give details of the duration the data is stored and how long each category of personal data is retained.
7. Provide information about any other source from whom the organisation is collecting their personal data.
8. Give details of automated decisions, the logic behind them and their significance and consequences.
9. State whether the personal data has been disclosed by the organisation in the past, and give details of any previous breaches which resulted in the sharing of personal data.
10. Detail information policies and standards that are followed to safeguard an individual’s personal data.
11. Provide information about existing technologies and business procedures to monitor individuals. Give details of any training and awareness measures used to ensure employees and contractors are accessing and processing personal data in a way that conforms to the GDPR.
12. Provide details of circumstances where employees or contractors were dismissed for accessing personal data inappropriately in the past 12 months.
How can Exate’s solution help the organisation to respond to such an inquiry?
Exate’s unique solution allows data to travel with its own rules, which are maintained and accessed centrally. The data can check sovereign data walls, attribute types, employees and consent/right to be forgotten. Data can travel between different parts of the firm and outside the firms firewall. The data controls who is allowed to see it. In turn, this solution enables you to comply with privacy by design. An organisation will be able to protect and track access to your PII.
This solution will provide the tools to be able to easily secure and future-proof your organisation. On the other hand, Exate will still:
•not have access to your applications
•not have access to or store any of your data
•not have access to or own your decryption keys
All access requests are logged, and customisable reporting is available for the organisation’s CISO/DPO or clients. The solution is easily implemented by downloading Secowser and applying the rules to your data, thereby protecting your PII.