Originally published at: https://nextcloud.com/blog/nextcloud-helps-you-being-gdpr-compliant/
When the General Data Protection Regulation (GDPR) became a topic in 2016, most companies didn’t immediately realize that they were affected. But they quickly realized that GDPR is not yet another legislation about European companies: any company doing business with European citizens’ personal data was affected by the text, whether the business itself was European-based or not. And the definition of personal data is wider than you may think at first sight: any data linked to a person is considered as personal data. It can be their e-mail address, the name of their company, the details of their bank account that you have in your database. Or their purchases on your e-commerce solution. If your company owns any data of this kind, you’d better have a look at what GDPR is about and how you can be compliant.
Picking the right EFSS solutionPicking the right Enterprise File Sync, Share, and Collaboration solution to be GDPR is not easy. Using a free Public Cloud is certainly the worst idea you could have: do you have a clear proof that your customers consented to have their driving license uploaded on Google servers in the USA, with all the privacy and security concerns it implies? All US-based companies currently worry about GDPR, since they cannot ensure the "adequate level of protection" (General Data Protection Regulation, article 45). The Privacy Shield has been presented as a solution but it suffers from a lack of confidence in Europe and from constant legal challenges. Privacy experts have raised issues more than once, and it is questionable if relying on the Privacy Shield is a long-term solution for enterprises doing business in Europe.
But companies face another issue: they often use legacy solutions like an internal Windows Network Drive with, precise access rights management and trackable use of data. But their employees have started to work around them years ago already because collaboration with these solutions is a real pain. So, they adapted. They send sensitive company information through insecure email attachments or, worst, from their personal Dropbox or Google Drive account, completely against the rules codified in the GDPR. If that information leaks, or even by the simple fact that the persons whose data is being shared so irresponsible haven’t given their approval, your organization has a huge legal problem. Fines can go up to 20 million or 4% of annual revenue, whichever is greater. Per incident. Think how many files are emailed as attachments per day by your employees…
So, what are the criteria you should examine when picking a GDPR-compliant EFSS solution?
Data cartography and accessBeing GDPR-compliant starts with one requirement: knowing which data you have, where they are stored, and who has access to these data.
If the data authority of your country controls your company, you must be able to provide them with a full list of your data processing and precise information about who has access to which data, where they are stored and how they are managed.
Nextcloud offers a full audit trail with audit logs including:
- user session (login, logout, user agent)
- file handling (download, upload, modify, (un)delete, tag, comment, restore old version)
- user management (creating/deleting/changing user, setting a password)
- sharing (creating, deleting, changing permissions, updating a password, setting an expiration date
SecurityEnsuring security of personal data is one of the most important requirements of GDPR: companies must evaluate their risks and mitigate them. Main requirements include:
- encryption of data at rest, in transit and on the cloud. Your company alone must have the key. That already blocks most server-side encryption solutions and public clouds from usage: if you don't encrypt the data first before sending it off, using Amazon S3, Google, Microsoft or other cloud services is very risky, especially in their free versions.
- ability to retrieve personal data in case of accidental or non-accidental problems, from malicious attacks to ransomware issues. 2017 might be the year of ransomware but there is no reason to assume the problem is solved in 2018.
- the software used to manage data must be trustworthy, that is, verified, approved, certified or at least transparent enough (like open source).
Data retention (no more, no less)GDPR is clear about the retention of personal data: they must be kept only as long as they are needed, but certain types of personal data must also be kept at least 6 months for legal reasons.
Nextcloud data retention policy allows a perfect control of sharing, with user-friendly options like sharing expiration and password. This way, you can share data with your customers and ensure they don’t have access to data anymore after a defined period of time.
On the other side, our retention app also allows to tag certain types of data to ensure they will not be erased before they are not legally required anymore.
Ensure privacy and respect of data with Nextcloud: discover our analysis of legal issues regarding personal data!