Share This Article:Share on FacebookTweet about this on TwitterShare on LinkedIn

This article was co-written by Kris Lahiri, Data Protection Officer and Dawid Balut, Egnyte Architect.

Unless it’s all the data a business has, this is not enough to satisfy GDPR requirements. The regulation governs data handling procedures and affects both used and unused data from the moment an organization collects or processes it.

However, scrubbing unused data is a good start. Art.5 GDPR mandates the following:

“Personal data shall be: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);” So if the data is no longer used, it must be removed. However, data removal is not necessary in some cases, such as “processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.” This is only one variable in a very long equation. To comply with the GDPR, consider the entire regulation.

Here are some good compliance questions to start with:

  1. Do you have an actual, valid, and lawful basis for data processing?
  2. Do you have explicit consent from the user to process their data? Is your consent written in clear and plain language that users can understand?
  3. Do your systems respect user rights mandated by GDPR, Chapter 3? I.e. Are users allowed to withdraw consent at any time? Do you ensure users have a way to reliably request data erasure? Are users allowed to transfer their personal data from one processing system to another?
  4. Are you processing data for the purposes stated in the user-approved consent agreement?
  5. Have you audited your legacy data against GDPR requirements and ensured it complies?
  6. Do you protect data against unauthorized or unlawful processing and accidental loss or destruction?
  7. Do you have any data safeguards like encryption, network monitoring, or security assessments designed to identify weak spots in your environment?
  8. Are data protection measures designed with privacy in mind and enabled by default to provide a  high level of protection from the very start?
  9. Do you have mechanisms in place to support breach notifications?
  10. Have you appointed a Data Protection Officer (DPO)?

Attend webinar to learn more about GDPR after the May 25th enforcement.