MIT launches GDPR tool for SMB's
MIT has created a custom-purpose GDPR tool to allow small-to-medium enterprises comply with GDPR legislation without requiring a dedicated IT resource.
By: MIT Dynamic Technologies Limited
MIT has launched a GDPR tool within their UCentric suite that allows customers to perform sweeps of their file systems and databases to highlight potentially sensitive personal information.
GDPR states that you should have technological measures in place to: Classify data, Prevent data loss, Encrypt data, Manage Explicit Consent, Limit Data Transfer and allow individuals to exercise their rights to "Access", "Rectify" and "Erase data.
UCentric GDPR provides this, and much more.
UCentric identifies the files and database entries where data is held even if you are unaware of it!
It will sweep all relational database engines (Microsoft SQL, MySQL/InnoDB, ODBC etc.) and detail which database are unencrypted and where lax security or unnecessary elevation of access rights is in place.
Without knowing what data you have, how can you control consent?!
The tool highlights all personal data, so you can be sure of what data you are transferring.
Access, Rectify and Erase
Built in reporting and redaction makes this a much simplified process, and performs it across multiple files or databases simultaneously.
GDPR compliance should fit neatly into any Quality Assurance system without much effort. You simply need to address the key principles of Data Classification, Data loss, Encryption, Explicit Consent, Data Transfer, Data Access, Data Correction, Data Erasure.
The UCentric GDPR solution from MIT also provides a Quality Assurance template that you can embed within an existing ISO9001/27001 framework, or use as a standalone compliance document.
GDPR requires both the protection of personal data and evidence of the protection measures a business has in place for any location (physical or digital) where personal data is collected, processed, stored, or transmitted. Under GDPR, organisations must be able to identify when personal data becomes exposed or compromised. The regulation applies to organisations regardless of whether they're located in the EU or not.
Article 3 on Territorial Scope, GDPR applies to:
• Any organisation in the EU, even if the processing occurs outside the EU.
• An organisation processing EU citizen data in the context of selling goods or services or monitoring data subject behaviour in the EU. This applies even if the organisation is located outside of the EU.
• Data controllers (defined as the entities that determine the purposes, conditions, and means of the processing of personal data) that are located outside of the EU, but where the EU law applies due to international law.
Additionally, GDPR keeps the rules around data transfers that were put in place for previous laws. Data transfers can typically occur only with nations that have adequate security protections. However, GDPR does also allow for codes of conduct and certifications that, when approved, allow for exceptions – This means that other legislation may have to be considered when creating your policy (such as Mifid II etc.)
For more information, visit http://www.mit-