GDPR - General Data Protection Regulation

What is GDPR?

The General Data Protection Regulation (GDPR) (Regulation [EU] 2016/679) was adopted by the European Union in April 2016 and replaced the EU Data Protection Directive 95/46/EC. The regulation intends to strengthen and unify data protection for individuals within the European Union (EU), whether that organisation is based in the EU or not. The new regulation requires an individual's explicit consent to allow a company with their permission, to use private information for business procedures. The new law obligates companies to review their existing policies to ensure systems are compliant with the GDPR requirements and able to handle client requests like data deletion, requesting of data details, modifications etc. GDPR is effective starting May 25, 2018. Official information about GDPR can be found here.

While the GDPR is an EU regulation, it expands the territorial scope of EU data privacy law. The regulation affects:

  • Organizations based in the EU
  • Organizations outside of the EU offering goods or services to, or monitoring EU residents

How can Quality Clouds help with  GDPR Compliance?

Even though full GDPR compliance procedures can run into the hundreds of pages, the one key point is that organisations can not be GDPR compliant unless they can show that they are making a best effort to identify every piece of Personally Identifiable Information they are storing about their customers and employees. 

While Quality Clouds is not a full-fledged GDPR compliance solution, it can effectively help organisations close an often-overlooked gap in their inventory of how Personally Identifiable Information (PII) is used in their IT systems: Usage of PII information in their code and in their data storage metadata (table and field names).

Quality Clouds scans match the main PII and extra-sensitive PII keywords against the source code present in your SaaS instance, as well as against the custom table names and column names of the underlying data storage. Each match is raised as an issue in the scan results. 

The matches are implemented by default in English, Spanish, German and French. Any other languages can be added on an ad-hoc basis via Custom Rules.

Impact and remediation of GDPR issues

As opposed to other issues which are raised when a violation of a standard best practice is detected, GDPR issues are raised whenever a matching PII keyword is found in code or field or table names. These do not necessarily have to be "remediated" in the sense of removing them, if they are legitimate uses of PII information. Instead, remediation should be understood as including the list of such elements in the global inventory of PII information being stored and processed by the organisation.

The GDPR issues are included in the Data Privacy dashboard with the following impact:

ID

Description

Severity

Area of impact

Affected element

Covered by Quality Clouds

Covered by free scan utility

3000Possible PII usage in configuration elementWarningSecurityAll CE typesOnly for clients with GDPR add-on enabled

3001Possible extra-sensitive PII usage in configuration elementHighSecurityAll CE typesOnly for clients with GDPR add-on enabled

4000Possible use of private dataWarningSecurityAll CE types

List of Personally Identifiable Information (PII)

The languages covered are English, French, Spanish and German. These tables have the option to export in .csv file.


PII

Field names to look for

PII Type

1Taxpayer Identification Number (Social Security Number)SSS; social number; taxpayer; security number;Sensitive data
2Citizenship NumberNational ID numbers ; Social security number ;ID Number; passport; passport number; IDNumber; Sensitive data
3Addresseshome; address; ZIP code; Post code;Sensitive data
4Home PhonePhone number; land line; Sensitive data
5Mobile Phonemobile number; mobile; Sensitive data
6emailemail; email address; Sensitive data
7

Date of birth

Date of birth; birth date; Sensitive data
8Place of Birthbirthplace; birth place; Sensitive data
9

Business telephone number


Sensitive data
10

Race


Extra-sensitive data
11Religion
Extra-sensitive data
12EthnicityEthnicityExtra-sensitive data
13Gendergender; males femaleExtra-sensitive data
14Visa permits numberVisa; visa permit;Extra-sensitive data
15Driver's license numberDriver license; driver licenceSensitive data
16

Vehicle registration plate number


Sensitive data
17

Disability information

disabilityExtra-sensitive data
18

Sexual orientation

sexual orientation; sex; sexual; Extra-sensitive data
19

Education and employment history

education history; employment history; Sensitive data
20

Salary

salaryExtra-sensitive data
21

Job position / title

job title; job position; Sensitive data
22Photospersonal picture; photoSensitive data
23Political and religious leanings and affiliationreligion; politics; politic; political party; Sensitive data
24Insurance detailsinsurance number; Sensitive data
25Medical informationmedical record; medical status; health status; healthExtra-sensitive data
26Criminal record  criminal record; criminal data;Extra-sensitive data
27Credit score / recordcredit score; credit information; credit card; account number; bank number;Extra-sensitive data
28Mother maiden namemother maiden name; mother nameSensitive data

What's here


Related content

Data privacy dashboard for ServiceNow