Companies are striving to strike a balance between privacy protection and seizing the commercial opportunities this data opens up for them.
SAN FRANCISCO (PRWEB) April 28, 2021
Few types of regulation have ever proved to be as far-reaching or game-changing as GDPR. Pretty much any organization in the world with an online presence is subject to the regulations - and anyone who breaks them, is in serious, expensive trouble.
At the same time, collection and use of data continues to increase. The purposes for this data become ever-more complex. Companies are striving to strike a balance between privacy protection and seizing the commercial opportunities this data opens up for them.
Data Security and GDPR
The EU’s General Data Protection Regulation (GDPR) is a broad set of data privacy and security rules that dictates how organizations can collect, use and store any data pertaining to citizens of the EU.
No company can afford to ignore GDPR. Falling foul of the rules, could lead to a fine of up to €20 million or 4% of annual global revenue (whichever is bigger). This isn’t an empty threat, either: the regulators are serious about enforcement, handing out nearly $200 million in fines since GDPR came into effect.
From Google to British Airways to H&M, some of the biggest companies in the world have been forced to pay up after they were found to have played fast and loose with customer data - and fines increased by around 40% between 2020 and 2021.
Keeping business on the right side of GDPR
Anyone with personal data in their possession, must protect it adequately. While far from an exhaustive list, some basic steps to start with include the following:
[Note that this is not hard-and-fast legal advice here!]
- Protecting the data with robust, comprehensive data security measures, such as end-to-end encryption.
- Overseeing external data management, ensuring the existence of data processing agreements with any third-party vendors that outline respective responsibilities.
- Having a data breach plan to mitigate the damage in the event of a hack or leak.
- Complying with data transfer laws when moving data across national borders.
These rules can be tricky to navigate, especially when using data for more sophisticated purposes, like machine learning and predictive analytics. Or when collaborating with other internal or external partners on data-driven projects, that require safely sharing access to sensitive datasets.
But perhaps the most difficult challenge when complying with GDPR is the accountability principle.
Every company or organization is expected to be accountable for fulfilling its own compliance obligations.
This means staying vigilant, continually inspecting and interrogating company processes internally to ensure compliance with the demands of GDPR. It’s up to businesses to keep their customers’ data safe, so anyone entrusted with their data needs to be up to compliance standards, too.
Where does certification come in?
While there’s no official GDPR certification today, industry certifications and standards exist for precisely this reason: to help identify best practices in the industry, so that businesses can choose their relationships wisely to demonstrate commitment to internal compliance efforts.
Take ISO 27701, a new standard that was published towards the end of 2019, post-GDPR and strives to align with the GDPR requirements as well as other major privacy laws. ISO 27701 is essentially a framework for creating, implementing and maintaining a watertight Privacy Information Management System (PIMS). For an organization to gain certification, they have to prove to an independent auditor that they adhere to a stringent collection of data privacy and accountability rules and processes. All things considered, ISO 27701 is the closest you can get to being GDPR compliance-certified.
That said, it’s really important to appreciate that actual GDPR certification doesn’t exist, so beware of anyone that says otherwise! But as Europe’s most prominent body on data protection - CNIL, the French Data Protection Authority - recently clarified, while ISO 27701 is a global standard (rather than a GDPR certification instrument under Article 42 of the regulation), it nevertheless represents the state of the art in terms of privacy protection. As such, organizations that adopt it will improve their data protection maturity and demonstrate a proactive approach to personal data protection.
Explorium and your data privacy
At Explorium, they take security and privacy regulations very seriously, so achieving full lSOC 2 Type 2( and ISO 27001) certification was a no-brainer.
In fact, being SOC 2 Type 2 (and ISO 27001 ) compliant, certification requires an annual, external audit by a respected cybersecurity company, and penetration tests on our infrastructure and applications. Explorium repeats these penetration tests every time they update their product, just to be on the safe side.
This year, Explorium took its security and information systems to the next level. They’ve beefed up their security and compliance team under the leadership of their CISO, Raz Oliar, dedicated to security, privacy, and compliance. They successfully underwent a full ISO 27701 compliance audit - and passed with flying colors!
As a part of their certification process they have incorporated security and privacy considerations in everything that they do. The team has implemented AES-256 encryption on data at rest. For data encrypted during transit, they use TLS 1.2 or higher. They only work with vendors that they trust to stay in line with data privacy needs, too. For example, their Cloud provider is the super-secure, industry-leading AWS. Their vendors fill out strict security and privacy questionnaires too. In some circumstances, they ask them to supply DPA and other ISO 27701-derived documents, to make sure they’re following all Explorium data security requirements.
Final thoughts: one less thing to worry about
In short, the burdens of GDPR aren’t getting any lighter, even after three years. Moving data around for big, ambitious machine learning purposes without putting a foot wrong is fraught with difficulties. Companies need to know that everyone they work with - that they entrust with their precious data - completely understands the risks and regulations. That they have taken steps to ensure compliance. And that they have the paperwork to prove it.