GDPR Compliance



GDPR Compliance

What is GDPR?

The EU General Data Protection Regulation (GDPR) was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

When will it be effective?         

May 2018

Who needs to comply?

GDPR applies to all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s location. The regulations will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behavior that takes place within the EU. Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU.

What if you don’t comply?

Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.

How Sotero can help become GDPR compliant?

To become GDPR compliant, you will have to ensure that you have audited and identified all the data elements and ensure you have a governing and auditable process in place to protect the data. Sotero will help you navigate through these processes and ensure you are GDPR compliant. To be specific,

Access: The first step toward GDPR compliance is to access all your data sources. You must investigate and audit what personal data is being stored and used across your data landscape. Seamless access to all data sources is a prerequisite for building an inventory of personal data so you can evaluate your privacy risk exposure and enforce enterprise wide privacy rules. To address GDPR compliance, you can’t rely on common knowledge or perception of where you think personal data might be. The regulation requires organizations to prove that they know where personal data is – and where it isn’t. Sotero’s implementation process includes this discovery process extensively to ensure all the data elements and the access points are covered for a smooth implementation. Once the data is migrated and encrypted with Sotero’s proprietary method, relevant data will have to reside behind Sotero’s gateway processes.

Identify & Protect: Once you’ve got access to all the data sources, the next step is to inspect them to identify what personal data can be found in each. Through Sotero’s implementation process, you identify the personal data is buried in semi structured fields. You will be able to parse those fields to extract, categorize and catalog personal data elements such as names, email addresses and social security numbers. For GDPR compliance, you can use thess techniques to protect data: encryption, pseudonymization and anonymization. Considering the volumes of data at hand, this cataloging and encryption process can’t be manual. And you not only need to parse and classify personal data – you also have to accommodate varying levels of data quality. Things like patterns recognition, data quality rules and standardization are vital elements of this process. Sotero make sure personal data can only be accessed by those with proper rights, based on the nature of the personal data, the rights associated with users groups and the usage context. Having the right tools for the job from Sotero will make a big difference in your ability to meet the May 2018 deadline for GDPR compliance. With Sotero’s solution, there is  no need to decrypt the data to perform any processing operation. Our product allows you to perform these operations on the encrypted data directly. With Sotero’s access control features, you will be able to protect the data and control the accessibility based on the role, geographic locations etc.

Govern: Once you identified and classified the data elements, Sotero’s “Protect” security framework helps you to provide necessary governance needed to maintain the data going forward. For GDPR compliance, privacy rules must be documented and shared across all lines of business. Sotero’s reporting framework provides the documented evidence that the data elements are identified, classified and maintained as per appropriate controls. Once a specific data element is determined as not to be stored, associated keys can be eliminated from the centralized metadata repository which will ensure the data element across various underlying data sources “not relevant and meaningful”.

Audit: Finally, through Sotero’s “Detect” audit capabilities, you can ensure GDPR compliance for data protection. You’ll will be able to produce reports to clearly show regulators that the identified and classified data elements are maintained as per the regulations.


For more information as how you can use Sotero to make your organization GDPR compliant, please contact us at