On May 25, 2018 the European Union will begin enforcement of what is known as the EU General Data Protection Regulations (GDPR).
For many organizations the GDPR compliance date is approaching like a freight train for any company that does any business with a one of the 28 EU member countries. The fines for non-compliance are punitive and can put your organization and overall system in legal jeopardy. Many clients we’ve spoken to are not aware of how these rules will affect their business. The goal of this post is to first explain GDPR, compliance requirements and most importantly how you can avoid being fined.
What is GDPR?
GDPR is a set of guidelines designed by the European Union to manage and control access to personal data. The regulations themselves are extensive, and can be referenced at the EUGDPR website –https://www.eugdpr.org/
The core of the regulation deal with how organizations control and management of personal data of EU citizens.
The rules dictate that you do not have to be located within the EU, or have a presence in the EU, but if you employ, do business or have online interactions with any EU citizen then you will need to adhere to these rules.
Let’s assume that you are an online e-commerce site selling goods on the internet. If you receive an order from any of the 28 EU countries even once during a calendar year, then you are required by law to be GDPR compliant for the entire year or face fines.
As another example you can be a services firm that provides data or services for clients in EU. If you store any data for any EU citizens then you are bound by GDPR rules and will have to be compliant before the summer of 2018. Given the borderless nature of the internet, any service or product provider could be affected by this rule.
Where is your data?
An important distinction and part of this rule is that you need to know where you companies data is stored and processed. If for instance your are using one of the popular cloud storage solutions do you know where you data is stored? Is it replicated to other countries for redundancy? If so you need to audit and validate before the deadline.
Destroy and Erase Data
Increasingly many cloud and SAS application providers do not have a process to permanently delete data from their systems and backup storage when a relationship with a client has ended. One of the main tenets of GDPR is that you are required to delete data once your relationship with the client has ended or you no longer need access to that data. This means this data has to be removed from your system, storage accounts and even archives and backups. You need to have a system in place where that data no longer enters your production system.
Most modern applications, due to a variety of designs and foreign key constraints, do not fully delete the data from the data storage even if the data has been deleted from the user interface. Most of these system perform a “soft delete” where your data disappears from the application, but continues to reside in the database. This is clearly no longer acceptable under GDPR, and a company you need to set in place a plan to purge this information on a regular basis.
Additionally users can extract data from system in forms of reports or CSV files and store them either locally or on cloud services. You will need a system to audit, locate and destroy this data once users are deleted from the system.
As an organization here are a few things you need to review:
- Who has access to the personal data
Auditing and tracking all users who have access to personal data is the first step in the process. Most organizations have a number of internal and cloud systems. While there is likely a central directory such as Active Directory or LDAP, they are also likely subscribed to a variety of cloud services that might contain client data, but are not part of the central directory.
Auditing and documenting all access to the data is a critical, yet time consuming step in the process. This means not only documenting all data sources that contain user data, but also documenting the level of access each user has to that data.
2. Are they authorized to have such access
As part of your audit, you will need to document access to personal user information. If using a directory, such as Active Directory or LDAP, then likely your organization is managing authorization via roles or groups. Additionally, it is important to document user access to any external services that might contain personal user data.
Most firms will have to appoint a controller to oversee all personal data issues. In case of a breach, the firms have 72 hours to report the issue to a supervisory authority. The notifications must at a minimum contain: 1. A description and nature of the breach; 2.Contact information of the officers in charge;3. A detailed description of the likely consequence of the data breach; 4. A description of how a controller proposes to to address and fix the data breach, including any mitigation steps.
4. Tracking and database auditing
A number of modern applications, and many HIPPA compliant applications, have detailed auditing built into the system. Auditing is about tracking the use of records in the database. In an audited database each record “action” is logged. This can be as detailed as which records were accessed, modified or deleted.
With auditing users can track view, update and delete of all information in the system. During an audit a number of questions have to be answered. Who has access to the system? What was accessed and changed? How did certain users gain access to the system?
Without detailed logging it would not be possible to answer those questions. What this means is that you are likely not going to be able to answer those questions without upgrading your system to include detailed logging capability.
- Relationship with 3rd Party vendors
If you have any established relationships with 3rd party vendors, then all of those vendor have to follow the same rules and be bound by the same set of guidelines. This will likely require frequent audits by your organization of 3rd party vendors and how they treat your client data.
At Daxima we’ve been consulting companies on how to become GDRP compliant. If you need help with system audits, or helping in the auditing process, feel free to reach out to us.