POWER > Systems Management > Data Management

Are Your Ready for GDPR?


Data breaches are on the increase worldwide. It’s a trend that puts both businesses and their customers at risk. In 2016, European Union (EU) lawmakers elected to address the issue head on with the passage of General Data Protection Regulation (GDPR).

GDPR was crafted to standardize the implementation of personal data protection across the 28 member states of the EU. When the regulation goes into effect May 25, it promises to disrupt the way companies around the globe handle customer data.

And given that the economy today is as much about data as it is about goods and services, any technology that improves the way organizations handle data holds the potential to transform the companies.

“GDPR is intended to protect EU data subjects, but if organizations apply the data protections not just to their EU footprint but across their organizations, those protections can bring tremendous value from an overall data privacy and protection perspective,” says Matt Fritz, president and practice director—data privacy and protection, Exec Consulting Inc.

“GDPR provides individuals with more control and additional protections over their data, which can ultimately deepen relationships with consumers. Additionally, GDPR is forcing organizations to gain a deeper understanding of their data processing activities and where they really have risk both from a security and privacy perspective. It will significantly raise the bar with regard to correctly managing personal information.”

Defining GDPR’s Scope

At its heart, GDPR is designed for the protection of the personal data of EU residents (data subjects).

However, responsibility for implementation stretches far beyond the borders of the region. Any organization that collects data on EU residents must comply with the law. This applies no matter the physical location of the organization, whether the data is stored onsite or in the cloud, whether it involves money or a free exchange of goods and services, or is simply part of a monitoring activity. If the data involves a living person in or from the EU, it must be handled in a compliant fashion.

“It applies whether you’re a citizen or temporary resident alien,” says Richard Hogg, global GDPR evangelist, IBM. “If you’re passing through a European airport for 30 minutes, potentially, GDPR applies to your personal data.”

Conversely, individuals outside of Europe may be covered by GDPR if they are consuming goods and services from a European provider or being monitored by a European organization.

GDPR Requirements

GDPR categorizes organizations handling data as controllers and processors. Controllers are the organizations with the top-line data needs. They determine what data is collected and how it will be processed and used. Processors are organizations that handle data processing activities for the controllers.

Previous data protection directives and rules applied largely to controllers, exempting processors. Under GDPR, both classes of organization need to apply and demonstrate compliance.

This nuance broadens the reach of GDPR. EU enterprises may need to police their supply chains to ensure they’re compliant. An organization located outside of the EU may be compelled to be GDPR-ready by virtue of being a vendor to a EU company.

The Rights of the Data Subject

The regulation sets out four key rights for data subjects:

  • The right to access. Data subjects can request a summary of any personal data held by an organization, presented in an easily accessible format.
  • The right to rectify. If data subjects find an error in their data, they have the right to have it corrected.
  • The right to erase. An organization must be able to delete a data subject’s records upon request, if applicable (several exemptions exist).
  • The right to portability. The data subject is allowed to request a copy of their data in a structured, reusable format that they can transfer to another organization.

In addition to these rights, the regulation establishes a set of six conditions under which it’s legal to process personal data from data subjects. The most important of these is that the controller must have active consent from the data subject.

This can be as simple as checking a box when visiting a website, but it’s required for each separate use of the personal data. Some of the other conditions that qualify as legal use include data processing to satisfy the terms of a contract or to satisfy regulatory requirements.

Responsibilities of Controllers

Much of GDPR focuses on tasks of privacy and data protection. It requires organizations to report data breaches to the authorities within 72 hours of the event and to inform data subjects as soon as possible thereafter. That’s a stark contrast to the notification timing in the aftermath of other recent headline-making breaches.

“If you’re able to deepen the trust relationship with your clients by showing transparently that you’re handling their personal data in the right way, they’re likely to trust you with more personal data that you can then use to better tailor goods and services to them.”
—Richard Hogg, global GDPR evangelist, IBM

The regulation directs organizations to apply the principles of data protection by design and data protection by default. That means establishing processes around best practices, building in data protection from the beginning rather than treating it as an afterthought. Integrated protection will always be more effective.

GDPR establishes requirements for data security and risk mitigation. The latter includes data minimization, which focuses on limiting the amount of data collected to that which is absolutely necessary to conduct operations.

Another technique is pseudonymization, which involves stripping personal identifiers from the data. The pseudonymization can be reversed if the data is combined with additional information stored separately. Any interloper who doesn’t have the corresponding keys cannot reverse the process and read the data.

Pseudonymized data isn’t recognized as truly anonymous but it does relax the regulation somewhat (e.g., allowing such data to be repurposed without requiring a new consent from the data subject).

Finally, encryption provides an additional means of protecting data from unauthorized users. In the event an organization using encryption has a data breach, the organization is authorized by GDPR to ignore the otherwise compulsory notification rule.

Article 30, a key provision, covers creating and maintaining records of processing activities. This should include essential details such as what kind of data is being stored, where it is being stored, who will access and process data, etc. This information should be supplied to the data subject on request.

Compliance Challenges

One of the major challenges of the new legislation is that it doesn’t exempt existing data. With that wrinkle, implementing the four rights of data subjects becomes more difficult.

It’s one thing to build a database and application designed around the regulation; it’s another to apply the standards to legacy data that may not be stored in a way that is compatible with required operations.

If an entry is just a row in a database, deleting it is straightforward. The problem is locating other copies that may be in the archives or backups.

“It’s a whole other challenge to somehow go back and find that data, and then if you do find it, how do you restore it?” Hogg observes. “How do we remove just you from that offline archive backup database that’s on who-knows-what kind of backup media? Where across all of the backups that we’ve done over the last seven years is your information and how can we just delete it without breaking the referential integrity of the online or offline application?”

Just as moving from one location to another compels a homeowner to eliminate unnecessary belongings and better organize the rest, the process of complying with GDPR creates a framework for improving data processes and governance.

“So many organizations have been misusing backup as a form of archives, whereas it really should be used for disaster recovery,” says Hogg. “And too many of us have been keeping backups or archives for way too long. There’s a potential that we need to review current applications as well as practices of online, near line, and offline backup of archives.”

“I talk to clients who may or may not delete data at all,” says Fritz. “This is going to force them to at least know where they have personal information and realize that they may not be able to keep data forever, which can help reduce both security and privacy risk.”

Risks of Noncompliance

Part of the reason GDPR is getting such attention is that the law includes significant penalties for noncompliance.

For upper-tier infringements such as violating the rights of data subjects, failing to get consent, or transferring personal data to third party, an organization could be fined the greater of 20 million euros or 4 percent of the previous year’s revenues. Alternatively, the regulators have the option of suspending dataflow or instituting a ban on processing.

Notwithstanding the risks, more than a few small businesses outside of the EU appear to be more inclined to observe than act.

“I’ve heard multiple clients say they’re going to let the Facebooks and Googles battle it out and then they’re going to make their moves once they see a little bit of data coming back,” says Fritz. “It would definitely not be my recommended course of action. European authoritative sources have already indicated that they’re going to most likely have some kind of enforcement action early on when this thing rolls out. Taking the ‘wait and see’ approach obviously leaves organizations exposed.”

Hogg likens those types of organizations to ostriches sticking their heads in the sand and waiting for GDPR to go away (hint: it won’t). Far better to take on the challenge, do the work and begin harvesting benefit.

“At IBM, we view GDPR as an opportunity to transform the business,” he says. “If you’re able to deepen the trust relationship with your clients by showing transparently that you’re handling their personal data in the right way, they’re likely to trust you with more personal data that you can then use to better tailor goods and services to them.”

Kristin Lewotsky is a freelance technology writer based in Amherst, N.H.



2018 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.


Are Your Ready for GDPR?


IBM Researchers Maximize Apache Spark’s Capabilities

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store