ARCHII AUTOMATICALLY IDENTIFIES YOUR GDPR RISKS
GDPR DEADLINE IS 25 MAY 2018
ARE YOU READY?
You need to know where your company’s personal data is located.
But personal data is located everywhere – especially in documents.
Fines are up to €20 millions or 4% of your global turnover.
If not? Archii is your solution…
ARCHII FINDS YOUR GDPR RISKS
Archii automatically identifies your GDPR risks across all documents from e-mail attachments to file storages. Archii presents a full dashboard and gives you the ability to manage the risks on the spot.
HOW YOU GET STARTED
You download Archii to your computer.
You invite all employees to be users.
You choose locations to search and provide names of employees, customers etc.
Archii identifies the documents containing personal data.
The dashboard gives you a full overview of personal data risks and their locations.
You request users to manage personal data risks (delete or explain).
HIGHLIGHTS ABOUT GDPR
WHAT IS GDPR?
The General Data Protection Regulation (GDPR) 2016/679 is a regulation from the EU on data protection and privacy for all individuals within the EU. Most importantly it sets out requirements for:
- the handling of personal data,
- which data is considered personal data,
- how long you can store personal data,
- which companies are covered by the regulation,
- and the remedies available to the authorities.
Within the GDPR, “personal data” means: “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
In plain words, it means that all data that can identify a natural person is considered personal data and has to be handled in accordance with the GDPR.
SENSITIVE PERSONAL DATA
Certain personal data types under the GDPR is considered “sensitive data”.
This is defined as personal data revealing:
- racial or ethnic origin,
- political opinions, religious or philosophical beliefs, or
- trade union membership,
and the processing of:
- genetic data, biometric data for the purpose of uniquely identifying a natural person,
- data concerning health, or
- data concerning a natural person’s sex life or sexual orientation.
Handling of such sensitive data is prohibited as a starting point but can be allowed in certain circumstances in accordance with article 9(2) of the GDPR.
IDENTIFICATION OF PERSONAL DATA
One of the key challenges of the GDPR is to identify the personal data across a company. Especially data that is “unstructured” meaning that it is not in a database. This data is mainly data found in documents. For instance, a CV will most likely contain personal data AND be received by e-mail thereafter to be circulated in the company.
Reports show that your top 5 risk locations are:
- File storages
- ECM systems
- Cloud apps
- Mobile devices
#1 and #2 locations are un-supervised (and unstructured) locations and mainly rely on individual employees.
The GDPR replaces the old directive in general and some new or modified concepts are important to highlight:
- Increased Territorial Scope (extra-territorial applicability)
- Breach Notification
- Right to Access
- Right to be Forgotten
- Data Portability
- Privacy by Design
- Data Protection Officers
1. Increased Territorial Scope (extra-territorial applicability)
GDPR will now apply to companies in AND outside the EU, if data about EU citizens are handled. If you are a company not established in the EU, it applies where the data activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU.
A company in breach of the GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
Consent to handle personal data must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
4. Breach Notification
In the event of a data breach, you are required to inform the relevant data authority. This must be done within 72 hours of first having become aware of the breach.
5. Right to Access
A data subject can now request access to all personal data concerning said person that is being processed, including where and for what purpose. As a company, you need to provide a copy of the personal data, free of charge, in an electronic format.
6. Right to be Forgotten
The right to be forgotten enables a data subject to require that a company erases his/her personal data, ceases further dissemination of the data, and potentially have third-parties stop processing the data.
7. Data Portability
This is a right for the data subject to require the transfer of his/her personal data to another “controller”.
8. Privacy by Design
If you are building systems, “privacy by design” calls for privacy to be taken into account throughout the whole engineering process. It is not a new concept but has now found its way into the GDPR itself.
9. Data Protection Officers
Certain (and most active) companies will be required to appoint a “Data Protection Officer” (a DPO).
- 1-20 users and 1 admin.
- Access to GDPR templates.
- Free preview of the result before purchase.
- Plus DKK 160 per extra user above 21 users.
- Access to GDPR templates.
- Demo or preview.
- >75 users.
- Free demos and test teams.
- Local server option (extra fee) and more admins.
Blue Data Management is trading under:
Blue Data Management ApS
Big Blue Data ApS
Big Blue Data Management ApS
Company registration: 25 60 86 90
Ravnsborggade 8B, 5th floor
2200 Copenhagen N, Denmark
All content ©
All rights reserved