Protect Your Information

Data Protection

Safeguard important information of all your stakeholders from corruption, compromise or loss.

The importance of data protection increases rapidly as the amount of data created and stored in almost every industry continues to grow at unprecedented rates.

This development has also led to the commissioning of data privacy laws and regulations which may vary from country to country. One of the most know regulations is the European Union’s General Data Protection Regulation (GDPR) which went into effect back in 2018. Compliance with any one set of rules can be complicated and challenging for organizations, but it doesn’t have to be.

Learn more about the importance of data protection and information governance, GDPR and everything you need to know about data protection. We also cover how data protection can help your business to gain a competitive advantage whilst also mitigate risk.

What exactly is data protection?

The key objectives of data protection are to safeguard and ensure data availability. The term data protection is also used to describe both the operational backup of data and business continuity/disaster recovery. Data protection strategies for organizations evolve along two main topics: the availability of data and proper data management.

Data availability

Organizations increasingly rely on data to deliver products and provide services to their customers. To keep their data accessible, organizations need to keep the Information Technology (IT) infrastructure active even in the case of a disruption to the network. This state of guaranteed access to data is known as data availability.

A scenario in which data is not accessible is highly problematic because it could prevent the delivery of services, and in some cases creates a chain reaction that compromises other data as well. Therefore, organizations must take measures to ensure that mission-critical data remains available at all times.

Data management

There are two key areas of data management used in data protection:

Data lifecycle management is the process of automating the movement of critical data records to storage locations.

Information lifecycle management is a comprehensive strategy for valuing, cataloging and protecting information assets from application and user errors, malware and virus attacks, machine failure or facility outages and disruptions.

More recently, effective data management gained a more prominent role as it enables organizations to unlock business value from otherwise dormant copies of data for reporting, knowledge management, analytics and other purposes.

The EU’s General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) came into effect in May 2018 and has been an essential step in strengthening European citizens’ fundamental rights in the current Digital Revolution, and monitoring businesses, and preventing these companies from misusing data for their capital gains which puts the user at risk.

Who does the GDPR data protection law apply to?

The GDPR applies to:

  1. a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
  2. a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.

If your company is a small and medium-sized enterprise (‘SME’) that processes personal data as described above you have to comply with the GDPR. However, if processing personal data isn’t a core part of your business and your activity doesn’t create risks for individuals, then some obligations of the GDPR will not apply to you (for example the appointment of a Data Protection Officer (‘DPO’)). Note that ‘core activities’ should include activities where the processing of data forms an inextricable part of the controller’s or processor’s activities.

What is a data controller or a data processor?

The data controller determines the purposes for which and the means by which personal data is processed. So, if your organization decides ‘why’ and ‘how’ the personal data should be processed it is the data controller. Employees processing personal data within your organisation do so to fulfill your tasks as data controller.

Your organization is a joint controller when together with one or more organisations it jointly determines ‘why’ and ‘how’ personal data should be processed. Joint controllers must enter into an arrangement setting out their respective responsibilities for complying with the GDPR rules. The main aspects of the arrangement must be communicated to the individuals whose data is being processed.

The data processor processes personal data only on behalf of the controller. The data processor is usually a third party external to the company. However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking.

The duties of the processor towards the controller must be specified in a contract or another legal act. For example, the contract must indicate what happens to the personal data once the contract is terminated. A typical activity of processors is offering IT solutions, including cloud storage. The data processor may only sub-contract a part of its task to another processor or appoint a joint processor when it has received prior written authorization from the data controller.

There are situations where an entity can be a data controller, or a data processor, or both.

What data can be processed and under which conditions?

The type and amount of personal data a organization may process depends on the reason for processing it (legal reason used) and the intended use. The organization must respect several key rules, including:

  • Lawfulness, fairness and transparency: personal data must be processed in a lawful and transparent manner, ensuring fairness towards the individuals whose personal data is being processed.

  • Purpose limitation: there must be specific purposes for processing the data and the organization must indicate those purposes to individuals when collecting their personal data. A organization can’t simply collect personal data for undefined purposes.

  • Data minimisation: the organization must collect and process only the personal data that is necessary to fulfill that purpose.

  • Accuracy: the organization must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it is processed, and correct it if not.

  • Compatibility: the organization can’t further use the personal data for other purposes that aren’t compatible with the original purpose.

  • Storage limitation: the organization must ensure that personal data is stored for no longer than necessary for the purposes for which it was collected.

  • Integrity and confidentiality: the organization must install appropriate technical and organisational safeguards that ensure the security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technology.

GDPR compliance

There is no quick fix for GDPR compliance, but what will really help is to create a records management capability and embed record-keeping into day-to-day operations of an organization. This will go a long way into creating a framework for compliance.

What is Records Management?

Records management is a pre-requisite of Data Protection. Privacy statements and entries in the Register of Processing Operations are much more difficult to elaborate when records management procedures and tools have not yet been developed. The existence of a GDPR-compliant environment, where records containing personal data are routinely identified, classified, protected, and life-cycle managed, is dependent on records management procedures and systems.

The definition of a record

According to the International Council of Archives (ICA), a record is any “recorded information produced or received in the initiation, conduct or completion of an institutional or individual activity and that comprises content, context and structure sufficient to provide evidence of the activity.”

This quote brings up an important distinction. While records are often considered synonymous with documents, they include one important characteristic that makes them unique: records, whether physical or digital, include evidence of a particular business activity, requiring them to be stored and retained over an extended period.

While the definition of a record is often identified strongly with a document, it includes any tangible object or digital information, which has value to the organization.

Common records are:

  • Documents created in the course of business (correspondence, agreements, studies).
  • Items that require organizational action (FOIA requests, controlled correspondence).
  • Documented organizational activities and actions (calendars, meeting minutes, project reports).
  • Items mandated by statute or regulation (administrative records, legal/financial records, dockets).
  • Items supporting financial obligations or legal claims (contracts, grants, litigation case files).
  • Items needed to communicate organizational requirements (guidance documents, policies, procedures).
  • In addition, some industries require organizations to treat items posted on social media sites (Twitter, Facebook, Instagram, etc…) as records.

The definition of a record

Nowadays there are various records management laws and regulations that must be followed when managing records. Storing files on an organization’s shared drive is not enough to meet today’s industry compliance standards. Beyond the legal mandates, a records management strategy is vital to the lifecycle of your organization’s information.

The lifecycle of a record contains the following phases: