GDPR – What you need to know and how Concentric can help

With massive cloud migration and more data being stored and collected than we ever imagined, protecting that data is mission-critical for every organization. 

Organizations must not only protect this data for the security of their business and customers, but also to keep up with data protection laws and regulations. 

One of the most comprehensive regulations that can affect organizations worldwide is the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018. 

GDPR protects EU citizens’ privacy and rights by setting standards for collecting, using, and processing their personal data. Organizations must understand that GDPR applies not only to companies located in the European Union (EU) but also to any organization that handles personal data of EU citizens. With stiff fines for non-compliance, GDPR has become a motivating force for businesses to prioritize data protection. 

The introduction of GDPR has had a significant impact on data protection laws globally. For example, it has inspired the introduction of similar data protection laws in other jurisdictions, such as the California Consumer Privacy Act (CCPA) in the United States. Plus, GDPR has strengthened individual rights concerning personal data, such as the right to access, rectify, erase, and restrict the processing of personal data.

What are the key principles of GDPR, and to whom do they apply? 

GDPR is based on several fundamental principles that companies must adhere to when handling personal data and are designed to ensure that personal data is collected, processed, and stored securely and responsibly. 

The key principles of GDPR are:

Data protection by design and default: This principle requires companies to implement data protection measures from the outset, such as encryption and access controls. They must also ensure that personal data is only processed when necessary and that data protection measures are continuously reviewed and updated.

Lawful, fair, and transparent processing: Companies must have a lawful basis for processing personal data and must ensure that individuals are informed of how their data is being used in a clear and concise manner.

Purpose limitation: Personal data should only be collected for specific, explicit, and legitimate purposes and should not be used in ways that are incompatible with these purposes.

Data minimization: Companies must only collect the minimum amount of personal data necessary to achieve their intended purpose.

Accuracy: Companies must ensure that personal data is accurate and kept up-to-date.

Storage limitation: Personal data should only be stored for as long as necessary for the intended purpose.

Integrity and confidentiality: Companies must implement appropriate security measures to protect personal data from unauthorized access, disclosure, or destruction.

Accountability: Companies must be able to demonstrate compliance with GDPR principles and be accountable for their data protection practices.

Remember, GDPR applies to all companies that process personal data of individuals within the EU, regardless of where the company is located. This means organizations outside the EU are also subject to GDPR if they process personal data of EU citizens. 

Individual rights of data subjects 

GDPR also applies to data subjects whose personal data is being processed. All EU subjects are afforded many rights to protect their privacy under the GDPR. 

For different rights of the customer, to be GDPR compliant, a business needs to ensure that data subjects have the following rights:

Right to Know: ensures that users have access to information about what data is being collected on them, and for what purpose. Companies need to maintain records of user consent, including the specific permissions granted, to help manage enterprise risk and avoid penalties. Enterprises must also update their privacy notices to comply with GDPR.

Right to Opt Out: allows customers to withdraw their consent for marketing activities, and enterprises must categorize user consent data to remove them from specific activities rather than all activities. 

Right to Portability: allows customers to receive their information in a format that they can use to transfer to another service provider. Enterprises need to keep track of all personal data and have a system in place to export this data. 

Right to be Forgotten: enables customers to ask companies to delete their data and be allowed to be forgotten. This request can be complex as customer data could be transmitted to multiple enterprise systems in structured and unstructured formats.

In addition, an enterprise also needs to demonstrate that the user information is secured with reasonable security and inform consumers of data breaches, especially if their personal information is vulnerable. If an enterprise fails to comply with GDPR, they are liable to pay penalties ranging from €10 million (or 2% of the worldwide annual turnover of the prior financial year, whichever is higher) to €20 million (or 4% of the worldwide annual turnover of the prior financial year, whichever is higher).

How Concentric helps organizations maintain GDPR compliance

With Concentric AI, there are three key steps to ensure organizations are compliant with GDPR:

• Discover and identify GDPR data
• Monitor and classify GDPR data for risk 
• Remediate data risk issues

Discovery and identification of GDPR data

Data discovery and identification can be a crucial step in helping a company achieve GDPR compliance.

Companies are having to manage more personal data than ever before — due to skyrocketing cloud migration, more employees working from home or hybrid, and corporate Bring Your Own device (BYOD) initiatives proliferating the enterprise. For companies based in the EU or processing data from individuals in the EU, all this data means compliance challenges escalate.

The Concentric Semantic Intelligence solution uses sophisticated machine learning technologies to autonomously scan and categorize GDPR data —  from financial data to PII/PHI/PCI to intellectual property to business confidential information – wherever it is stored.

Our Risk Distance analysis autonomously identifies that data, learns how it’s used, and determines whether it’s at risk. With Concentric, you will know where your GDPR data is across unstructured or structured data repositories, email/ messaging applications, cloud or on-premises – all with semantic context.

Concentric’s Semantic Intelligence helps companies understand what personal data the company holds, determines the legal basis for processing personal data, assess the risk associated with processing personal data, and allows you to respond to data subject requests.

Monitoring and classifying GDPR data for risk 

For any organization, the ability to continuously monitor data for risk is not only difficult but time-consuming for IT and security teams. As adherence to data protection laws like GDPR becomes more crucial, the resources required to write complex rules and deploy policies on-the-fly can be overwhelming. With Concentric, you can autonomously discover how GDPR data is being used, who it is being shared with, and who accessed it — to quickly and accurately pinpoint risk from inappropriate permissioning, risky sharing, and unauthorized access. 

Data classification is an important step in achieving GDPR compliance because it enables companies to identify, categorize, and organize their data according to its level of sensitivity and importance. This is particularly critical under the GDPR because the regulation imposes strict requirements on how companies handle personal data.

With Concentric, companies are empowered to: 

• Identify which data is personal data associated with EU personnel and customers
• Determine the level of sensitivity of personal data
• Apply appropriate data protection measures
• Implement data retention policies

Remediate data risk issues 

Concentric’s Risk Distance™ analysis leverages deep learning to compare each data element with baseline security practices used by similar data to identify risk without rules and policies. More importantly, our solution can remediate these access risks as they happen – whether it’s fixing access control issues or permissions, disabling sensitive file sharing with a third party, or blocking an attachment on a messaging service. 

The best part is that Concentric reduces risk, protects GDPR data without upfront policies, and doesn’t require large teams to operationalize. 

Concentric Semantic Intelligence  helps enterprises discover and protect their most sensitive and confidential information without any rules, upfront work or security team overhead. 

Utilizing Deep Learning, Concentric Semantic Intelligence™ autonomously delivers a content based, categorized view of your data and a risk rating for all data that have been exposed. This allows your data security, privacy, and compliance teams to easily find and correct inappropriate sharing, unauthorized access or wrong entitlements of sensitive data to efficiently prevent data loss.

Customers are successfully using our product in production for petabytes of data for:

• Data Security Posture Management
• Data Access Governance with Remediation
• Data Classification
• Privacy Data Protection, including satisfying GDPR requirements

Book a demo today to see firsthand — with your own data — how Concentric’s solution can quickly and easily be deployed to manage GDPR data risk in your organization.