Few types of regulation have ever proved to be as far-reaching or game-changing as GDPR. Pretty much any organization in the world with an online presence is subject to the regulations – and if you break them, you’re in serious, expensive trouble.
At the same time, collection and use of data continues to increase. The purposes for this data become ever-more complex. Companies are striving to strike a balance between privacy protection and seizing the commercial opportunities this data opens up for them.
To make things even more complicated, you need to know that every company you need to share data with understands the intricacies of this challenge, too. Without easy, reliable ways to judge their commitment to data privacy and security, their activities could get you into hot water later on.
Data Security and GDPR
The EU’s General Data Protection Regulation (GDPR) is a broad set of data privacy and security rules that dictates how organizations can collect, use and store any data pertaining to citizens of the EU. This means that, in effect, any company with an international audience needs to comply, wherever in the world they are based.
No company can afford to ignore GDPR. If you fall foul of the rules, you could face a fine of up to €20 million or 4% of annual global revenue (whichever is bigger). This isn’t an empty threat, either: the regulators are serious about enforcement, handing out nearly $200 million in fines since GDPR came into effect.
From Google to British Airways to H&M, some of the biggest companies in the world have been forced to pay up after they were found to have played fast and loose with customer data – and fines increased by around 40% between 2020 and 2021.
Keeping your business on the right side of GDPR
Once you have personal data in your possession, you need to protect it adequately. While far from an exhaustive list, some basic steps to start with include the following:
[Note that we’re not providing hard-and-fast legal advice here!]
- Protecting the data with robust, comprehensive data security measures, such as end-to-end encryption.
- Overseeing external data management, ensuring that you have data processing agreements with any third-party vendors that outline your respective responsibilities. If they mess up on their GDPR requirements, you (as the data controller) will be held at least partly responsible.
- Having a data breach plan to mitigate the damage if you suffer a hack or leak.
- Complying with data transfer laws when you want to move data across national borders. This can get complicated!
- Appointing a data protection officer to handle these issues – although this isn’t a requirement for every company. It depends on size, data use and risk.
These rules can be tricky to navigate, especially when you want to use data for more sophisticated purposes, like machine learning and predictive analytics. Or when you plan to collaborate with other internal or external partners on data-driven projects, that require you to safely share access to sensitive datasets.
Also, these steps really are just the tip of the iceberg. Compliance with GDPR is an entire approach and outlook on managing your customers’ sensitive data. As such it involves a comprehensive privacy and security strategy. You can’t just tick a few things off the list and wash your hands of the problem. You have to show that you’re taking this seriously, doing everything you can to protect against leaks and hacks while ensuring people’s data is never used in a way they didn’t agree to.
You can’t afford to rest on your laurels
But perhaps the most difficult challenge when complying with GDPR is the accountability principle.
Every company or organization is expected to be accountable for fulfilling its own compliance obligations. There’s no external body that can tell you: congratulations, you’re now GDPR-compliant! That’s all you need to do!
This means you need to stay vigilant, continually inspecting and interrogating your processes for yourself to ensure you’re keeping in line with the demands of GDPR. It also means that you need to keep an eye on every vendor and partner you work with. It’s up to you to keep your customers’ data safe, so anyone that you entrust with their data needs to be up to your compliance standards, too.
Put simply, GDPR is not a one-off exercise. You need to periodically review your internal and external handling of data, looking for chinks in the armor (and fixing them). What’s more, you need to do this after every new development, just in case something has shifted that means you’re no longer compliant.
When you factor in the challenge of ensuring every partner and vendor you work with outside the company is following the rules, too, this can be a serious headache.
Where does certification come in?
While there’s no official GDPR certification today, industry certifications and standards exist for precisely this reason: to help you identify best practices in the industry, so that you can choose your relationships wisely to demonstrate commitment to your compliance efforts. When you’re assessing a potential vendor, certifications provide a litmus test to separate data privacy best practices from marketing bluster.
Take ISO 27701, a new standard that was published towards the end of 2019, post-GDPR and strives to align with the GDPR requirements as well as other major privacy laws. ISO 27701 is essentially a framework for creating, implementing and maintaining a watertight Privacy Information Management System (PIMS). For an organization to gain certification, they have to prove to an independent auditor that they adhere to a stringent collection of data privacy and accountability rules and processes.
These include data security and risk assessment policies, effective monitoring and measurement, and irrefutable evidence that the people they appoint to manage these are up to the task. They must also submit to audits and management reviews, ensuring standards never slip. All things considered, ISO 27701 is the closest you can get to being GDPR compliance-certified.
That said, it’s really important to appreciate that actual GDPR certification doesn’t exist, so beware of anyone that tells you otherwise! But as Europe’s most prominent body on data protection – CNIL, the French Data Protection Authority – recently clarified, while ISO 27701 is a global standard (rather than a GDPR certification instrument under Article 42 of the regulation), it nevertheless represents the state of the art in terms of privacy protection. As such, organizations that adopt it will improve their data protection maturity and demonstrate a proactive approach to personal data protection.
Explorium and your data privacy
Here at Explorium, we take security and privacy regulations very seriously, so achieving fullSOC 2 Type 2( and ISO 27001) certification was a no-brainer. We wouldn’t expect our customers to trust us with their sensitive data without proving ourselves first.
In fact, being SOC 2 Type 2 (and ISO 27001 ) compliant, certification requires an annual, external audit by a respected cybersecurity company, and penetration tests on our infrastructure and applications. We also repeat these penetration tests every time we update the product, just to be on the safe side.
This year, Explorium took its security and information systems to the next level. We’ve beefed up our security and compliance team under the leadership of our CISO, Raz Oliar, dedicated to security, privacy, and compliance. We successfully underwent a full ISO 27701 compliance audit – and are proud to say we passed with flying colors! That means we’re now also fully ISO 27701 certified. It’s just one more way that our team has gone the extra mile to demonstrate a proactive approach to protecting data privacy and security on behalf of our customers.
As a part of our certification process we have incorporated security and privacy considerations in everything that we do. The team has implemented AES-256 encryption on data at rest. For data encrypted during transit, we use TLS 1.2 or higher. We only work with vendors that we trust to stay in line with data privacy needs, too. For example, our Cloud provider is the super-secure, industry-leading AWS. Our vendors fill out strict security and privacy questionnaires too. In some circumstances, we ask them to supply DPA and other ISO 27701-derived documents, to make sure they’re following all our requirements.
Final thoughts: one less thing to worry about
In short, the burdens of GDPR aren’t getting any lighter, even after three years. Moving data around for big, ambitious machine learning purposes without putting a foot wrong is fraught with difficulties. You need to know that everyone you work with – that you entrust with your precious data – completely understands the risks and regulations. That they have taken steps to ensure compliance. And that they have the paperwork to prove it.
Learn more about Explorium’s security approach here.