The Clock is Ticking on General Data Protection Regulation (GDPR) Compliance

In this webinar, we shared how the Unifi Data as a Service Platform with RegAlert! can help your organization be GDPR compliant in 12 weeks. There was a good Q&A throughout the webinar but we weren’t able to answer every question during the event. This blog post answers all the questions that arose during the webinar.

What is GDPR?

In May of 2018 EU citizens can expect control and protection of their personally identifiable information (PII). Any organization who stores EU consumer PII must be in compliance with GDPR by storing the data securely, notifying the consumer if there is a data breach, allowing the data to move from one service to another and must enable the consumer to completely delete and erase their information if they desire. Unifi can help you be ready for GDPR Compliance.

Do I have to move all of my data into a lake before I can be GDPR compliant?

Not with Unifi. We deliver a data virtualization layer through our catalog and discovery features. So you connect to the data in place and then use change data capture to identify any data that has changed each time a transform job is run.


Can you do row level security too?

Yes. This is particularly useful when your dataset contains both EU and rest of world data


Are you masking the data at the source or creating a derived dataset with masked data?

We support both methods. You can have source data be in the clear and grant a user access to this if they are in, for example, customer service. Then have a masked dataset which becomes your default data for analytics. Alternatively, the data steward can simply select which rows or columns to mask in Unifi based on who is viewing the data


Do you handle the data deletion in when someone asks to have their record removed?

We do not change the source data – however, we can track the request and then use our audit function in the governance pillar of Unifi to show the requested deletion and then the deletion date and time which we gather through the CDC feature.


What customer-facing changes do we need to make to be GDPR compliant?

There are quite a few and we encourage you to refer this question to your compliance team, general counsel or privacy officer. Here are some things to consider;

  • You’ll have to provide facilities on your site and maybe through your mobile application for the user to request the deletion of their records
  • You’ll need to update your terms and conditions of use and privacy statements on your site and should notify your consumers of these changes with links to the new documents.
  • You need a way for customers to request data transfers – this is perhaps the most challenging aspect but there is a precedent for this in mobile phone number portability.

 

For a regional local U.S. bank, would compliance with U.S. banking privacy and information security rules be sufficient?

Banks and Credit Unions might have EU citizens’ data from ATM use or an EU citizen may decide to open an account with a U.S. bank. These instances—among other examples—would make the financial institution subject to GDPR Compliance. U.S. privacy and security regulations would not be sufficient.

For more information about GDPR and how Unifi can help organizations with data compliance, unifisoftware.com/GDPR