GDPR has been in the spotlight the past year, and organizations have been working hard to follow the requirements. Documentation has been an important part of the adaptation work, something we have previously written about here. But GDPR is about more than just documentation.
In order to comply with GDPR, companies not only need legal competence, but also technical expertise. GDPR highlights the importance of integrity, traceability, transparency and limited data retention when it comes to the processing of personal data. Technical solutions can facilitate compliance with the regulation.
Hosting and GDPR – do you know where your data is stored?
One of the most important technical questions to ask is – do I know where my data is being processed and stored? This is an especially relevant question since a lot of companies nowadays choose the cloud. In order to facilitate compliance with GDPR, it is important to keep track of where personal data is being processed, and especially if it is stored outside the EU / EEA. In Sweden, for example, the SKL (Swedish municipalities and county councils) has recommended that municipal data be stored in Sweden.
For companies with operations in Sweden, it may be beneficial to choose a hosting provider with data centers in Sweden. This to ensure that data is stored in Sweden, and that the supplier not only understands and complies with GDPR, but also has knowledge of Swedish laws and industry-specific rules and regulations when it comes to the handling of sensitive data.
Log management to meet the requirements
Traceability is important in GDPR. For example, a personal data breach must be reported to the supervisory authority within 72 hours. Companies must then be able to provide sufficient evidence, and have a good overview of who has done what. Log management can help companies comply with GDPR.
Log management has been widely used in the payment industry and healthcare industry, where it has been a requirement of the security standards PCI DSS and HIPAA.
A log is an automatic time stamped documentation of a specific event. Log management allows companies to monitor access and can give an insight into how users behave and how an application works. In addition, logs can provide clues about why and how something, for example, went wrong, and can discover abnormal activity in your systems and detect intrusions. Log management provides evidence, and allows businesses to detect and monitor different behaviors, and more easily evaluate situations.
In the occurrence of a personal data breach, evidence is essential. Log management provides adequate traceability and helps companies get an overview of who has access to what – something that is very important in the GDPR era.
Tokenization and pseudonymization
All those who in some way process personal data must comply with the GDPR.
One of the requirements in GDPR is about pseudonymization. Companies should implement technical solutions where sensitive data cannot be directly assigned to a specific person. One way of achieving this is through tokenization. Tokenization means that sensitive data such as personal data, is relocated and replaced with a token. The personal data itself is instead stored locally.
Similar to log management, tokenization is already used in a number of industries, including the payment industry where it facilitates secure handling of card data.
GDPR means a stricter view on personal data processing, but the idea that sensitive information should be protected has been around for a long time. The solutions we have listed here should not only be seen as ways for companies to make their compliance with GDPR a bit easier, but also as ways for companies to improve overall security.