General Data Protection Regulation (GDPR)
Intralinks® helps you understand the operational impact of the General Data Protection Regulation (GDPR) (EU) 2016/679, and provides tools to minimize risk of personal data breaches.
Compliance with the GDPR across Europe became mandatory on 25th May 2018, bringing with it a wide range of new challenges for businesses. In brief, the fundamentals of the regulation are:
It applies to every business globally which holds Personal Data of citizens of the European Economic Area (EEA).
EEA citizens are at the heart of the regulation, and all the requirements center around protecting them.
It provides a set of principles to which organizations must adhere, and yet local regulators will be keen to see not just adherence to the rules but also engagement with the spirit of the regulation.
Fines for non-compliance have been set at up to four percent of an organization’s total annual global turnover, or EUR 20 million, whichever is greater.
Local Supervisory Authorities must be informed of Personal Data breaches without undue delay, where feasible, but not later than 72 hours after having become aware of the breach. Data subjects must be informed of Personal Data breaches without undue delay.
Robust security controls across the enterprise will become instrumental to organizations mitigating potential compliance risks under the GDPR. For example, encryption is specifically highlighted as a technology that can mitigate the risk of data loss.
Organizations will need to be able to demonstrate that they have performed due diligence when selecting technology vendors to carry out processing activities on their behalf. In other words, processing of Personal Data should only be delegated to vendors with a verifiable commitment to privacy and security.
The GDPR specifically recognizes certain mechanisms for transfer of Personal Data outside of the EEA as an alternative to the regulation’s “adequate level of protection” requirement such as the Binding Corporate Rules (BCR) and the Standard Contractual Clauses (SCC).
The purpose of the GDPR is to protect EEA citizens through new infosecurity requirements. Organizations that deal with Personal Data of EEA citizens must accommodate the newly enhanced data subject rights by formulating policies and procedures that ensure the ongoing security and portability of Personal Data. The GDPR also prescribes that all systems and processes across the enterprise must employ a Privacy by Design approach. In addition, organizations need to be transparent in their use of both their own and third-party systems for Personal Data processing activities.
How Intralinks can support you
At Intralinks, we believe that most companies can meet the spirit of the GDPR within their internal boundaries. However, the nature of business is changing and content in motion presents a fundamental business risk. We are well-placed to support you in mitigating that business risk.
Intralinks has a long history of commitment to securing and enabling high-value content within regulated industries and has been continuously demonstrating the strength of its data privacy framework by successfully completing more than 50 Client audits on an annual basis. In addition, Intralinks has a significant portfolio of capabilities to help customers minimize their risks under challenging regulations, including the GDPR.
Intralinks Security and Governance can provide the following:
Customer-managed encryption keys (CMK) ensure total control over access to your content.
Information rights management (IRM) provides granular, lifetime control over individual pieces of content.
Physical geolocation capabilities provide in-region processing and archive creation functionality, so information stored in one region is never stored in another unless specific authorization and adequate safeguards are in place.
Legal avenues for international transfer of Personal Data such as the SCC enable you to send Personal Data to countries outside the EEA that have not been deemed “adequate” in their protection of Personal Data by the European Commission. Intralinks is certified under the EU-US Privacy Shield and is currently awaiting approval for its BCR application.
Intralinks is already widely used to support the following use cases:
Learn more about:
Intralinks is already widely used to support the following use cases:
For more information on what the GDPR requires and what steps organizations should take to meet these requirements, please click on the links below:
Vendor-risk management and third-party oversight:
The management of vendors and lines of business to comply with regulatory requirements and safeguard customers and stakeholders continues to present challenges. Intralinks can help by:
- Securing the flow of confidential information and Personal Data
- Monitoring and enforcing compliance with contractual terms
Compliance management systems:
Manage enterprise-wide compliance information with granular operational controls and information security for working with both internal and external stakeholders. Use Intralinks to:
- Provide evidence of who, what and when of document preparation, review and distribution
- Maintain a single gold copy of compliance manuals, policies and procedures that is accessible to internal and external parties
Risk and compliance data governance:
The global financial crisis highlighted the need for readily available, enterprise-wide risk and compliance data, which regulators expect to be complete, accurate and timely. Intralinks provides:
- A single global platform that overcomes geographic, business unit and IT boundaries
- Enterprise-grade information security for sharing the most sensitive supervisory information with regulators and other parties
Aggregate, refine and formally submit regulatory information from disparate organizational structures and information types. Intralinks enables you to:
- Secure information prior to making it publicly available
- Streamline operations to meet submission deadlines
- Improve accountability throughout the filing preparation and submission process
Intralinks gives us a secure platform to be imaginative and creative with ways to share data and collaborate with our clients and other 3rd parties. More to the point, it’s easy and intuitive to use.
More on GDPR
Adequate Level of Protection or Data Adequacy – a status granted by the European Commission to non-EEA countries who provide a level of Personal Data protection that is “essentially equivalent” to that provided in European law
Binding Corporate Rules – a set of binding rules put in place to allow multinational companies and organisations to transfer Personal Data that they control from the EEA to their affiliates outside the EEA (but within the organisation)
Data Controller – the entity that determines the purposes, conditions and means of the processing of Personal Data
Data Subject – a natural person whose Personal Data is processed by a Data Controller or Data Processor
Data Processor – the entity that processes data on behalf of the Data Controller
Data Protection Authority – national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the EU
General Data Protection Regulation (Regulation (EU) 2016/679) – a EU law designed to strengthen and unify the data protection rules applicable to Personal Data of citizens of the EEA
Standard Contractual Clauses – a contractual mechanisms approved by the European Commission to ensure adequate safeguards for Personal Data transferred from the EEA to countries which the European Commission has not found to offer adequate protection for Personal Data
Supervisory Authority – an independent public authority which is established by a EU Member State pursuant to Article 51 of the GDPR
Personal Data – any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person
Privacy by Design – a principle that calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition
The materials available on this website are for informational purposes only and are not intended for the purpose of providing legal advice. You should not act upon any information provided herein without first seeking the assistance of a qualified legal counsel. Intralinks disclaims, to the fullest extent permitted by law, all liability with respect to actions taken or not taken based on any or all of the contents of this website.