What is the EU General Data Protection Regulation?
As of May 25, 2018, the GDPR introduces far-reaching obligations for companies that collect, use, or otherwise process personal information.
- The GDPR is the EU’s reform of its privacy framework. It replaces and harmonizes the EU’s long-standing bundle of national data privacy laws.
- The GDPR introduces a single framework that is directly applicable in all EU Member States; however, a number of national customizations remain possible.
- The GDPR contains the same six core data protection principles, but there are significant changes and additional requirements designed to protect EU citizens’ privacy. For example, the GDPR introduces certain enhanced rights for covered individuals, such as data portability rights.
To whom does the GDPR apply?
- Companies established in the EU that process personal information;
- Companies based outside the EU that offer goods or services directly to individuals in the EU (regardless of whether payment is required), or monitor the behavior of individuals in the EU (for instance, through customer profiling).
These statistics come from the European Commission (release date: January 2019):
- Total amount fined for companies: 50,025,280.00 EUR
- 95,180 complaints to Data Protection Authorities (DPAs) from any individual who believe their rights under GDPR have been violated
- 41,502 data breaches notified by companies
Siodb and its commitment to privacy toward the GDRP
The right to be forgotten
One of the key issues of the GDPR is the right to be forgotten for which the decisive element is that it is no longer possible to discern personal data without disproportionate effort. Siodb exposes the Privacy API, which permits an individual control the lifetime of its personal data directly within the database. Hence the Privacy API gives you a unique tool to respect the 17th article of the GDPR. Furthermore, Siodb only needs one backup copy which means a single synchronization of your backup propagates the effect of the Privacy API on backups. Hence, it is no longer needed to resync months or years of backups files to respect this GDPR concept as you would do with traditional database systems.
Privacy by design
The “Privacy by design” is of significant importance for the GDPR. The term “Privacy by design” means “data protection through technology design.” It refers to the thought that data protection is best adhered to when it is already integrated into the technology at the development time. Siodb provides to your customers “Privacy by design” for personal data because it has a storage structure made for privacy which has been coded within the Siodb algorithm from its creation.
Encryption of your data
The General Data Protection Regulation states in its 32nd article that you must protect your customer’s data and therefore use encryption. Encryption can be though to implement in traditional database systems because it’s often a complex option you have to configure and maintain over time. Siodb encrypts your customers’ data by design and by default. In the event of a GDPR audit, you should demonstrate that you implemented measures which the principles of data protection by design and data protection by default. Isn’t convenient to have the database doing that automatically by design and by default for you?
Siodb data integrity
We believe in people’s privacy and we designed Siodb to store each column of each table into three possible kinds of storage architecture:
- The standard column storage: Used to store all data that do not need to be authenticated.
- The private column storage: Used to store your customers’ personal data. Your customer can set up expiration date through the Privacy API. Whenever either, the Privacy API is triggered by your customers or data are deleted from that column, an internal job deliberately overwrites those private data with random bits.
- The immutable blockchain: Used to store authenticated transaction records like digital contracts, notary document, amount of money, etc.
It is up to you to identify what data should be flagged as personal and then Siodb will clean the personal data of your customers whenever requested by them or required by any authority or regulation.
The personal data retention period
The second point of the 25th article of the GDPR states that companies shall implement appropriate technical and organizational measures for ensuring that, by default, personal data must be kept only for the period which is necessary for each specific purpose of the processing are processed. What technique are you using to validate the retention period for personal data?
When you use the Privacy API from Siodb, you or your customers can set an expiration date on personal data. Whenever the retention period is over, a job in Siodb overwrites with random bits personal data that shouldn’t be more in your information system.
Should you need more information, please contact us and we’ll get back quickly to you.