GDPR Compliance with FileCloud

Quick Refresher on GDPR

The General Data Protection Regulation or commonly known as GDPR is a broad set of rules ensuring data protection of all individuals within the EU. GDPR rules apply not only to companies located in the EU but all companies dealing with data of EU residents. Violation of GDPR may cost companies penalties of 4% of their revenue. The regulations were enforced on May 25th, 2018.

The GDPR is derived from a number of data protection principles. These principles outline the rules that organizations must follow when they collect, process, and store an individual’s personal data.

  • Consent and Transparency – When data is collected, organizations must be clear about why it’s being collected and how it’s going to be used. If the user requests information regarding the processing of data, then organizations should provide this in a timely manner.
  • Purpose limitation – Organizations must have plausible reasons for collecting and processing personal data. The data can be used only for the said purpose and should not be processed for any other use unless the user has provided their explicit consent.

  • Data minimization – According to GDPR, data must be relevant and limited to what is necessary for which they are processed. This means that organizations should only store the minimum data required for their purpose.

  • Accuracy – Personal data must be accurate, fit for purpose, and up to date. The organizations should regularly review information held about individuals and delete or amend inaccurate information accordingly. Users have the right to rectify or erase inaccurate and unnecessary data within 30 days.

  • Storage limitation – Once the data serves its purpose for which it was collected, it should be deleted or destroyed unless there are other grounds for retaining it. The GDPR does not specify how long you should store the data.

  • Integrity and Confidentiality – Your organization must ensure that all the security measures are in place to secure the personal data you store. This could be from internal threats such as unauthorized use, accidental loss, or damage, and external threats such as phishing, malware, or theft.

  • Accountability – This principle states that organizations must take responsibility for the data they hold and demonstrate compliance with the other principles. This means that organizations must be able to provide evidence of the steps they have taken to demonstrate compliance.

Key Updates on GDPR

GDPR hasn’t been the same since it’s enforced in 2018. Here’s a quick update of what has happened since it came into effect.

1. A broader definition of Joint Controller – A joint controller is a group of controllers that jointly determine the purposes and means of processing. According to CJEU, when you process customer data, you along with your fellow joint controller(s) will decide and manage each step so you’re compliant with the GDPR. You both are equally responsible to ensure the entire process is  GDPR compliant. Both of you are accountable to the data protection authority.

2. Privacy Shield is Invalid – the EU-US Privacy Shield lets companies sign up to higher privacy standards, before transferring data to the US. The agreement governing the transfer of EU citizens’ data to the United States has been struck down by the European Court of Justice.

3. Cookie Consent –  In May 2020, the EU updated its GDPR rules which also included these cookie consent points

  • Cookie walls should not be used
  • Consent must be explicit, scrolling or swiping a website does not imply consent.

4. The Big Fines –  The French data Regulator has fined google 50 Million euros for lack of transparency and valid consent. The UK ICO fined Marriott International Inc. £18.4m for not ensuring 339 million guest records security. They have also fined British Airways £20m for a data breach of 400,000 customers’ personal data.

Implementing GDPR with FileCloud

User Consent

Reconsider how you are collecting personal data. Are you buying mailing lists? Then it is time to start fresh with a new mailing list that you have procured from informed customers and have consent for collecting their e-mail addresses. You can still acquire users or convert visitors from your website. It can be done by allowing visitors of your website to add themselves to your mailing list using a signup form. While getting consent, make sure you provide a link to your privacy policy which informs people exactly what you will do with the collected data.

In FileCloud, an administrator can enforce privacy settings, so that a user sees an I agree to Terms of Use.

To view the actual terms of service, users should click I agree to Terms of Use.

Right to Access

This is one of the important rights that the GDPR has set for the users. This basically means data subjects at any point, can ask you about the data that has been collected. Moreover, they need to be responded to within a month by the data controller.

FileCloud allows data protection officers to search for user data across all file content and activity logs.

 

Right to Be Forgotten

Under GDPR, users can request the deletion or anonymization of any data that the companies possess on them. FileCloud offers features to delete files. FileCloud also provides a tool for anonymization of any data that companies possess relating to a user, including activities log.

Data Portability

Exporting data from your system should be possible. Commonly accepted formats include  .csv, .pdf or .txt files. This will allow you to manage the portability.

FileCloud allows the export of files in all these standard formats and activity logs in easily readable files. Users can move their files easily from FileCloud.

 

DPOs

The DPO should have a comprehensive understanding of the General Data Protection Regulation (GDPR). Companies having more than 250 employees should assign a data protection officer (DPO) to ensure compliance.

FileCloud has special user types with a subset of admin tools. Organizations can create special user accounts for their DPOs to monitor compliance. You can assign a subset of admin features that you want to for your DPOs.

Data Mapping

The data that is collected, stored, and being processed needs to be categorized. GDPR requires you to ensure that files with personal information have not been shared inappropriately by searching for sensitive information and reviewing who has accessed it. To assess the data path and who has access to data, you need to create a mind map to help guide your processes of GDPR compliance.

With FileCloud, IT and system administrators can now search for common data types. You can easily search using built-in pattern identifiers like e-mail addresses, phone numbers, and credit cards. FileCloud also has templates you can use to search for complex patterns such as license plate numbers, driver’s licenses, and national identification numbers.

References 

https://www.smashingmagazine.com/2021/02/state-gdpr-2021-key-updates/

https://www.getfilecloud.com/supportdocs/display/cloud/GDPR+Compliance+in+FileCloud