GDPR Compliance: An XMedius Solutions Checklist for Government Offices
On May 25th 2018, the General Data Protection Regulation–GDPR–comes into effect. In essence, the GDPR requires that all organizations that fall under its purview take every possible measure to ensure that the personal information they collect or process has a legal basis, has the consent of the individual on whom it is collected, and can be accessed, modified or erased at the request of the individual. And while it was developed in the EU, the GDPR’s legal requirements apply to any government agency or office that collects, processes, exchanges or stores personal data on residents of the EU.
The penalties for non-compliance can be very high–organizations can be fined up €20 million for breaching GDPR. Just as important is the fact that public trust and confidence in your office or agency is on the line.
By some estimates, even at this late date, only about half of all agencies and organizations that fall under the GDPR umbrella are fully prepared.
Last fall, EU compliance expert Denis Virole of Ageris Group in France identified XMedius solutions as a solid addition any organization’s GDPR compliance strategy. As the deadline approaches, we want to help you fast-track your GDPR compliance.
Compared to other sectors, Government offices around the world process a higher than average amount of personal data. If you’re considering implementing an FoIP or secure file exchange solution to boost GDPR compliance, we’ve put together some of the regulation’s key requirements, and some essential items you should consider to ensure that your IP solutions addresses these requirements.
GDPR Compliance Checklist
You’re obliged to secure the explicit consent of anyone whose personal information you collect, process or store. Processed data can only be used for limited specified purposes.
- Your file exchange solution should have a configuration option that requests participant consent before any personal data is transmitted and that sets parameters for data use.
Individuals are permitted to withdraw their consent, or have their data changed.
- Your file exchange solution must have features that simplify making corrections or deleting an individual’s records.
Individuals have right to access any personal data that has been processed. Further, an individual can request information on how that personal data is being used, and by whom.
- Your file exchange solution must have the capacity to generate this information upon request
You must be able to rigorously safeguard any personal data you collect, process or store.
- The file exchange systems or processes you use to collect data need to be protected by technologies such as double encryption, two-factor authentication and built-in anti-virus protection
- You must be able to limit employee access to individual data
- Must have processes in place to preclude the loss of data
- Privacy and security features must be built into the systems and procedures you use to collect data
Any organization that processes personal data must track and record how the personal data is processed.
- Must be able to limit access to the personal data you process
- Must be able to generate and maintain detailed records about how and when data is processed and stored, and ensure that any third-party file exchange or cloud services you use also adhere to GDPR regulations
- Must be able to create a Data Impact Assessment is case of a data breach or other data degradation
- Must be able to provide a comprehensive audit trail that details when and how personal data was processed
Any organization that is subjected to a potential data breach must notify the supervisory authorities as well as the individuals who may be affected by the data breach within 72 hours of first having become aware of the breach.
- Your file exchange solution must be able to keep detailed records of all individual file interactions, and have the capability to automatically generate a detailed audit trail as well as a Data Impact Assessment
As a government entity, you’re required to have a Data Protection Officer.
- You will need to seek someone well-versed in cyber security and familiar with state-of-the art IP solutions, which can be simply and rapidly deployed for secure file exchange
Secure File Exchange Solution Checklist
It’s widely recognized that traditional methods of transmitting sensitive or mission-critical data, such as email, zip files, or FTP servers are fundamentally unsecure. State-of-the-art IP solutions can offer much greater security and a superior user experience.
- A configuration option that asks for an individual’s explicit consent before any data on that individual is collected
- Stringent security features such as double encryption, two-factor authentication and built-in antivirus protection
- The ability to produce a detailed audit trail of all processes to which an individual’s data has been subjected
- The ability to produce a Data Impact Assessment in case of potential data breach
- The capacity to exchange large files, including video and audio files
- Customization features that allow you to limit access to private data, delete private data within in a specified time frame, and choose varying levels of security
- Ease of use from a range of platforms, including smartphones and tablets
For more information on GDPR, see our whitepaper.
To learn more about XMedius Solutions, and how they can take your regulation compliance strategy to the next level, speak with an expert today.