General Data Protection Regulation (GDPR)
The European Union has adopted the new General Data Protection Regulation (GDPR). This rule, which replaces Directive 95/46/EC (the EU’s previous data protection regulation), is designed to increase data protection. The GDPR, which was adopted in April 2016, is set to take effect May 2018.
The GDPR will provide both greater uniformity to the handling of sensitive data throughout the EU, ensures that countries throughout the EU will have more standardized laws, and it will better protect personal data processed for non-personal purposes. The foundational theme of the GDPR is the precept that a living person has a fundamental right to his or her own data, , just as was a theme throughout Directive 95. As with the previous regulations, personal data is considered to be any data that—directly or indirectly—identifies, or can be used to identify, a living individual by any reasonably likely means.
As part of its effort to create uniformity across the EU, the GDPR is automatically effective in EU member states without requiring adoption from member states’ own legislatures. It does carve out certain exceptions for member states to determine data-handling in specific circumstances, such as law enforcement and established public interest.
What does GDPR mean to you?
Organizations that have locations in Europe must comply with GDPR. However, this regulation does not affect only European companies. Any organization that does business or operates in Europe, even if it is not physically located in Europe, is subject to GDPR. This includes companies located in the United States that conduct business in Europe, or with European companies. For companies in the US, the GDPR replaces or augments EU-US Privacy Shield. The industries that are most affected are Financial, Drug Manufacturers, and Healthcare.
GDPR requires that your business data remains secure. Your company must ensure that personal data is protected, and that you have proper policies and procedures in place to ensure compliance. GDPR also gives individuals greater control over their personal data. For example, you must be able to produce an individual’s personal data, upon request, and the data must be provided in a consumable format.
The GDPR makes it clear that your organization must protect personal data. Failure to comply with GDPR can have consequences, including fines and restitution. Fines can reach up to €20 million or 4% of the company’s global revenue, plus organizations can be subject to restitution for any harm from violating GDPR.
- One Year to Prepare: The GDPR will take effect May 2018.
- Not just for Europe: GDPR applies to companies located in Europe and also for those that do business with European businesses.
- Data protection: Companies must have policies, processes, and technology in place to ensure that data stays secure and protected.
- Data consent and rights: Individuals have to give consent and the consent has to be explicit and limited. Users also have the right to request data, rescind requests, and revoke consent.
- Notification of data breach: The supervisory authority must be notified of a data breach within 72 hours of discovery, unless the breach is not likely to harm a person’s rights and freedoms. The individual who owns the data must also be promptly notified of data breaches, except where there is little risk of harm, when data has been rendered unintelligible or when notification would involve a disproportionate effort.
- Penalties: Fines can be levied up to €20 million or 4% of global revenue (whichever is greater). Individuals who are impacted by improper data handling may seek legal restitution.
- Data transfers: It is permissible to transfer data outside of Europe as long as companies establish safeguards and permissions that are in line with GDPR.
(More specifics about GDPR, its history and why companies in the Unites States should care about it are here)
Are there specific requirements for email archiving?
There are no specific requirements for archiving email within the GDPR; however, there are other regulations that mandate that email, along with other forms of electronic communication like text messages and social media data, is archived and accessible. GDPR does specify that data must be kept safe, and that if data is shared it must be secure. An archiving solution like Retain can help track and audit who has accessed data. This information is needed to comply with specific requests within the regulation, for example the user’s right to withdraw consent (aka the right to be forgotten).
How does Retain by Micro Focus Help?
Micro Focus® Retain Unified Archiving™ helps ensure GDPR compliance through secure capture of all electronic communication data, including archiving email, mobile, and social media. Data is stored in a secure, encrypted archive. In addition to secure storage, with messages being archived using AES encryption, EMC Centera, or NetApp Snaplock storage. Optional Windows server or Linux server encrypted partitions can be used. Plus, Retain features native support for iCAS technology. And, when deployed in the cloud, Retain features redundant and secure data centers, keeping your data safe and secure.
Access to data is tightly controlled through customizable role-based permissions. Only users with granted rights can access the archive or use the features and functionalities of the Retain system. All access to the archive is monitored with fingerprinting via the audit trail. Retain creates a searchable audit trail of all administrators and users who have permission to access the archive, enabling you to have a record of all activity.
Retain features Write Once Read Many (WORM) storage. This ensures that data is written only once to the archive, while still being accessible multiple times. Archived data cannot be changed, ensuring complete compliance to GDPR and other regulations.
Retain fulfills the “right to be forgotten” by allowing administrators to delete entire mailboxes from the archive. This allows for all of the user’s information to be deleted from Retain, when requested.