General Data Protection Regulations (GDPR)

The new General Data Protection Regulation (GDPR) becomes effective from the end of May 2018. GDPR affects all organisations across the globe who have customers or commercial activities in the European Union (EU). The main focus of GDPR concern the storage and management of Personally Identifiable Information (PII), with specific definitions that are broader and more stringent than any previously regulations. Compliance with GDPR is likely to be difficult, with significant penalties for non-compliance.


Many businesses, educational institutions and government agencies are required to provide careful management of PII data wherever it is found in the organisation, and simple audits will not ensure compliance. Reciprocal’s Ikon Compliance Analytics Portal (RICAP) provides Data Protection Officers (DPO), Chief Information Security Officers (CISO), Corporate Legal counsel and others the ability to detect, analyse, and report compliance of data systems that contain regulated data.

RICAP Overview

RICAP is built with (DPO) Data Protection Officers, (CISO) Chief Information Security Officers, Corporate Legal counsels and organisation teams whose job it is to ensure compliance with required rules and regulations. RICAP has a rich set of functional capabilities in giving a comprehensive ability to an Organisation to stay on top of GDPR compliance process and requirements, covering:

Data Discovery

Focus on Known Data;

Assessment to Detect Unknown Data;

Backup/DR and Mobile data systems.

Scheduled Ingest

Structured Ingest Tools;

Unstructured Search/Scan tools;

Media Files (using metadata);


GDPR Compliance Status

Request Compliance;


Regulatory Reporting.

Business Focused User Experience

RICAP is designed with the latest frameworks for desktop and mobile responsiveness and ease of use. The forms, reports, wizards and dashboard are designed with simplicity in mind while providing robust analytical insights into the base data, helping you to track your journey to becoming fully GDPR-compliant.

Comprehensive Portal for Compliance Analytics

Traditional compliance management applications and systems generally focus on documents, articles, without robust continuous measurement and tracking features offered by RICAP. The metadata collected on PII data items that are related to Data Subjects helps provide a base for dashboards and reports with current status of compliance to the smallest frequency of measurement the Organisation requires to stay current on. RICAP comes out of the box with many useful dashboards and reports, custom and additional dashboards and reports can be published with minimal effort.


RICAP is designed for ability to scale based on the Organisational size and complexity. Implementation methodology is designed to get the system installed and running with minimal effort possible to start providing insights into data and compliance management.

The General Data Protection Regulation (GDPR)

(Regulation (EU) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. The Commission’s primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.


The GDPR creates some new rights for individuals and strengthens some of the rights that currently exist under the DPA.

The GDPR provides the following rights for individuals:

The right to be informed;

The right of access;

The right to rectification;

The right to object.

The right to erasure;

The right to restrict processing;

The right to data portability;

The right to erasure;

Rights in relation to automated decision making and profiling What information is an individual entitled to under the GDPR? Under the GDPR, individuals will have the right to obtain:

Confirmation that their data is being processed;

Access to their personal data; and Other supplementary information – this largely corresponds to the information that should be provided in a privacy notice.


The following sanctions can be imposed:

A warning in writing in cases of first and non-intentional non-compliance.


Regular periodic data protection audits.

A fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.


A fine up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. IT Impact


21 October 2013: European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) had its orientation vote.

15 December 2015: Negotiations between European Parliament, Council and Commission (Trilogue) have resulted in a joint proposal.

17 December 2015: European Parliament’s LIBE committee voted positively on the outcome of the negotiations between the three parties.

8 April 2016: Adoption by the Council of the European Union.

14 April 2016: Adoption by the European Parliament.


The regulation entered into force 20 days after its publication in the EU Official Journal on May 4th, 2016. Its provisions will be directly applicable in all member states two years after this date.

It shall apply from 25 May 2018.

The biggest challenge might be the implementation of the GDPR in practice:

The implementation of the EU GDPR will require comprehensive changes of business practices for companies that had not implemented a comparable level of privacy before the regulation entered into force (especially non-European companies handling EU personal data).


There is already a lack of privacy experts and knowledge as of today and new requirements might worsen the situation. Therefore, education in data protection and privacy will be a critical factor for the success of the GDPR.


The European Commission and DPAs must provide sufficient resources and power to enforce the implementation and a unique level of data protection has to be agreed upon by all European DPAs since a different interpretation of the regulation might still lead to different levels of privacy.


Europe’s international trade policy is not yet in line with the GDPR.

The new regulation conflicts with other non-European laws and regulations and practices (e.g. surveillance by governments). Companies in such countries should no longer be considered acceptable for processing EU personal data. See EU-US Privacy Shield.

Review all IT I/S – undertake compliance assessment.

Trigger for integrated Compute DB and storage;

All archive data needs to be indexed;

Secure Object store, or Centera, with data tracking;

Significant data tracking requirements;

Close control of data storage location DC’s in EU.

Reciprocal Secure Data Analysis (RSDA)

Reciprocal Group Services for GDPR

Reciprocal Secure Data Analytics (RSDA) provides an innovative and comprehensive service that will help your organisation to be compliant. It does this through three key phases;


The DISCOVER phase is where you search for your organisation’s sensitive information. You need to index files stored in any format from sources like cloud, file shares and mail servers. You need to locate passwords, customer information, credit cards, salary details and company confidential records. The process starts by ingesting data from all your unstructured data sources, be that Dropbox, CIFS file shares, Exchange server, Office 365 or SharePoint. Within half an hour of the ingest starting, it is possible to start querying some data.


The UNDERSTAND phase is where you drill down into the detail of all the indexed documents, assessing the what, where, who and why of your organisation’s information. Identify content, intent, sentiment and spot sensitive information across millions of documents. Profile your sensitive, legislative, regulatory and potentially out-of-date information. Tag specific documents for subsequent action.


Finally, you need to ACT on this information. Monitor or push actions to data owners and business systems such as Classify, Modify, Move & Delete. Govern your information estate and enable automated policy enforcement through the use of on-going workflows, making sure that when new data is created which contains PII data that it is stored where it should be, and won’t leave your organisation exposed.


The search capability not only helps you assess your compliance with GDPR, but also gives you an easy way to meet the requirement to show all data that you hold about an individual when requested. And if that individual wishes their data to be removed (their ‘right to anonymity’) then RSDA can detail every specific location in your unstructured data stores where that data is.


Not only does RSDA provide the technology to crawl, index and search your data, but also gives you options for what to do when information is found that is in the wrong place.


For instance, our advanced NAS migrations can be used to move data on a file-by-file level from an older data stored to a new, encrypted and protected storage system. Equally, once data has been moved, it is also necessary to ensure that it doesn’t fall into the wrong hands. Our secure data erasure services are extended for RSDA, allowing not just entire servers, disks or LUNs to be erased, but can securely erase specific data on Windows File Servers right down to the individual file level.


RSDA provides the most complete set of tools, enabling you to become GDPR compliant, and stay compliant.

Some of the more important changes to legislation because of the GDPR are:

The fines for not complying with the laws can reach a maximum of 4% of the businesses global annual turnover or up to €20,000,000, whichever is greater. However, for the first accidental infraction only a warning would be given. There is also a lower limit fine of 2% or €10,000,000;

Data protection must be designed into the business services themselves, ensuring that data protection is carried out from start to finish of the involvement with the customer;

All personal data must be able to be erased at will if a client requests that they no longer wish you to be in possession of their details. Once a request is made there will be a time period of one month to erase the data;

Multinational companies that operate across the EU will need to employ a data protection officer independently that can manage both the IT systems, and be familiar with the legality of the GDPR;

Clear consent must be given for any personal data that is to be collected and processed. This will need to be consent from the child’s parents if they are under 16 years of age. This consent can be withdrawn at any time.


As technology changes, so must the legislation; so while the GDPR may make some processes more difficult for a large number of businesses, it is a necessary step that must be taken to protect the ever growing amount of personal information from people who could use that data for harmful purposes. It will become even more important to make sure that you know where your data comes from as well as exactly where and how it is being stored and processed.