Share This:

There’s been a lot of talk about General Data Protection Regulation, but I thought it would help to provide you with some facts.



Here’s 250 pages of GDPR information condensed into 10 bullets:

  1. Don’t have a Personally Identifiable Information (PII) data breach!
  2. Notify a legal entity of real or potential breaches within 72 hours.
  3. Remove all personal data when requested by the EU citizen within 30 days.
  4. When requested by EU citizen, within 30 days, provide all personal data and how it was used
  5. Relate the collection and processing of personal data to specific purposes.
  6. Positively verify that someone is of legal age to sign up for the service.
  7. Know where all data resides (keep records of everything).
  8. Design all systems with an appropriate and demonstrable security and process.
  9. Expand privacy accountability and liability to all partners in the ecosystem.
  10. Penalties can be up to 4% of global turnover or €20,000,000 (whichever is higher).


It’s no longer about just ‘not having a data breach’, it’s also about what the business is expected to do after a breach occurs.


So before I start, let’s clear one thing off the table, which is the question we often get, is Control-M GDPR compliant?

In short, there’s no such thing as an officially certified GDPR vendor. No vendor can be GDPR compliant, only companies can accomplish GDPR compliance through their actions and processes.


The right question is “Does Control-M allow your organization to fulfill the GDPR requirements?”

  • An enterprise is the data controller, and when it implements a software package, the enterprise still has to comply with GDPR.
  • The liability of the data processor (Control-M is a data processor!) – meaning the one who processes the data, or is ordered by the data controllers – is now broader than before.
  • The question, when choosing software, is whether it supports the GDPR requirements - from the privacy-by-design principles to the concrete requirements of handling consent per purpose.


Now let’s talk about the interesting stuff – how can Control-M help an enterprise establish the right process to meet GDPR rules.

1. Automate the Right to be Forgotten, Right to Access, Data Portability and Notify processes across all parts of the infrastructure

• Reduce cost of performing process, reduce human error, reduce time

• Integrate into the Service Request ticketing system


2. Control-M Alerts and Notifications

• Report Data breach within an enforced SLA

• Notify if there has been any problem when a job related with customer data


3. Control-M Archiving provides the process evidence to auditors in easy to understand view

• Keeps a record of what and when was executed and also who took any actions (order, cancel, modify, etc.) on them

• Contributes towards Privacy by Design


4. Automate the audit / compliance reporting process

• Reduce cost of audit process

• Use Self Service and Mobile interfaces to reduce time to respond to audit


5. Use Control-M Managed File Transfer for highly secured and controlled file transfers

• Securely manage file transfers destinations

• Track any file transfer

• Audit the troubleshoot file transfers between the organizations and 3rd parties.


6. Provide data lineage by tracking and evidencing data lineage of all activities, into a data lineage platform (e.g. Into Hadoop or into Splunk, or whichever you have)

• Meets compliance requirement to know where customer data is and is not used. Reduced cost of complying, especially for customers already using Control-M


7. Integration into Service Request and Change Management tools (for tracking, approval, handle problems, etc.)


GDPR is all about the workflow:

“Ensure ongoing confidentiality, integrity, availability, and resilience of customers’ personal data”


For more info, please visit the BMC GDPR web page