The guidelines of General Data Protection Regulation or GDPR are long and complex and we’d be lying if we said we could wave a magic wand that could ensure your organisation has met every requirement. We are, however, helping customers to meet certain criteria by calling on our knowledge of data, security and compliant technology platforms.
As we see it, there are four key areas we can help with, these are; Breach Notification, Right to be Forgotten, Data Portability and Privacy by Design. We have provided a paragraph on each of these areas - taken from eugdpr.org - and paired that with how we can potentially help your organisation prepare for the deadline of May 2018.
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
At first glance, this one seems particularly scary. Especially when you consider the fact that the average time for an organisation to detect a security breach is still 99 days in 2017*. Albeit that's down from 229 days in 2015. However, if we re-read this one carefully, it states that the notification must be made 72 hours of first having become aware of the breach, not 72 hours after having been breached.
That aside, for an organisation to identify the breach, classify it as being worthy of a notification and make that notification to the relevant parties in just three days…that is still a pretty big ask! This is where our rich history of deploying platform monitoring, management and intrusion detection tools both on-premises and cloud can begin to help organisations start to gain control in the area of breach notification.
You may be interested in two thought pieces on GDPR written by my colleagues Jason Normanton and Callum Butler.
Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.
To help with this area we need to take a small step back. Before we can erase personal data, we must first understand what is personal, where it’s stored, how we access it and how to ensure we've captured all the associated personal data and more besides. To do this we work with organisations to build on our data assessment services, as discussed by Adrian Kingsford here.
The next level down from the initial data assessment allows us and our customers to start to drill further into the data, understand whether it is personal data and classify it accordingly. Working together with our customers, we can start to make sense of the vast amount and varying types of data an organisation is storing and what the risks are in relation to the GDPR regulations.
GDPR introduces data portability - the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine-readable format' and have the right to transmit that data to another controller.
Once we‘ve identified and classified the data in question, we can then start to make it portable. As well as being portable we can ensure the data is secured. So when transmitted, the risk of a data breach is reduced whilst in transit.
We’re able to assist in wrapping the necessary tools and processes around the data thus securing it to ensure your organisation remains compliant at all times. Of course, if breaches are detected we’ll have tools and plans in place to deal with such an event, as discussed in the Breach Notification section above.
Privacy by Design
Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically - 'The controller shall...implement appropriate technical and organisational measures...in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects'. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
This is where our deep knowledge and experience of designing, building and managing secure platforms comes into its own; drawing on examples where we've worked with national and local government authorities as well as organisations from a number of verticals, including finance and retail, not to mention within our own secured datacentre.
We can work with and become a natural extension of your platforms teams, working to ensure current and future platforms are built to provide privacy by design. These designs go wider than infrastructure though, it must incorporate people, processes and additional relevant areas of the organisation, to ensure all bases are covered and that you remain compliant.
Definitions: A full list of GDPR definitions can be located here.
* Mandiant M-Trends 2017.
If you’d like to talk about how we can help you and your business be in a strong position for GDPR please get in touch.
Will Wilkinson, Infrastructure Architect, OCSL