General Data Protection Regulation – Implications and tooling for GDPR readiness, Part 1 of 2

Background

With the massive and continuing growth of technology into everyday life, the new European Union General Data Protection Regulation (GDPR) is the EU response to this intrusion. GDPR is an attempt to regulate and limit the use that may be made of all personal data. Its aim is to ensure that Data Protection is built-in to systems and processes by design and by default, extending to all facets of data management by making the Data Subject (every person in the European Union is a Data Subject) the owner of all data collected on the Data Subject.

It comes into full effect on May 25th, 2018. GDPR includes:

  • Data collection
    • Only the absolute minimum of data necessary for a specific purpose be collected
  • Data storage
    • When data is no longer required for the express purpose for which it was collected then it must be erased. Security and privacy must be inbuilt.
  • Data use
    • Data can only be used for the specific and express purpose for which it was collected under the heading of Informed Consent”. Consent by a Data Subject to use their personal data can be withdrawn at any time.
  • Data content and accuracy
    • A Data Subject can request full access to ALL their personal data at any time and require correction of any inaccurate information or exercise their “Right to be Forgotten” (RTBF).
  • Data Sharing
    • Not allowed unless express “opt-in” permission is given by the Data Subject for an express purpose. Requires formal GDPR compliance from all parties with access to the data from end to end. A Data Subject is however the sole owner of all information held on them and if they exercise their “right to access” then all their personal data supplied to them is theirs to do with as they will – it cannot be supplied “In confidence” or under any other restriction on use.
  • Evolution and change
    • GDPR introduces a requirement for “continuous risk assessment” – a responsibility of the Data Controller and required to be both “appropriate” and “state of the art”.
  • Monitoring and Compliance
    • Responsibilities include formal processes and set notification criteria in the event of a breach. Penalties for a breach or a discovered unnotified breach can be significant, even in terms of a large international corporation’s turnover – up to 4M Euros or 4% of annual worldwide turnover.

GDPR affects every organisation that holds data on a person and where that person is in the European Union. It applies regardless of location – if you are collecting, processing or storing data on EU residents then you are included.

What it means for Businesses in terms of MultiValue (MV) application platforms

Firstly let’s look at where data exists and is held (these are not necessarily the same thing). While there are sure to be other examples, the list covers almost all scenarios either directly or indirectly:

  • In disk storage – after all, that is where the data is held – in accounts and files.
  • In transit – data needs to get into and out of systems and typically there are one – or more – network connections over which data is exchanged whether to a terminal, a web server or web service, or similarly network-connected device.
  • In backup storage – wherever held.

How U2 can help address GDPR requirements – Tooling

  • Data in Transit – All U2 client software supports full data encryption for data exchanged between a client and a server using secure protocols based upon the – continually evolving – industry standard OpenSSL libraries. The U2 implementation also encompasses FIPS 140-2 compliant algorithms so ticks all the boxes for encryption standards.
  • Data at Rest – The U2 databases also provide encryption of data held in data files – whether with a record body, in an ID, in an index or in backup copies. This too is based upon the industry standard OpenSSL libraries providing a secure platform for ongoing data security.

The built-in features also allow separation of data by user role and entitlement at the physical level, where different files – or individual fields in individual files – can be separately and securely encrypted. Rights to access and any element of data can be granted globally, to a group of users or to an individual user with the assurance that unauthorised users are incapable of accessing – or indeed understanding – encrypted data if they have not been positively granted access.

  • U2 direct costs – none – these features are included in all the U2 clients, servers and tools at no additional cost.

Look for Part II of my blog next week and in the meantime, if you haven’t seen it and want details about specific articles of GDPR and how MultiValue can provide the capabilities you need to fulfil many of these requirements, read the Rocket General Data Protection Regulation (GDPR) and Rocket MultiValue Databases brochure.

John Jenkins

John Jenkins 2 Posts

Introducing John “JJ” Jenkins… John works in our Uxbridge, UK office as a Technical Support Engineer. Uxbridge is in London, just north of Heathrow Airport. One of the most experienced members of our global team, he has a focus on consumability, and aims to have bugs fixed once, and never see the same root cause arise again. Straight after completing his education, John started working in the IT world. He worked on mainframes as a computer operator and then moved into COBOL and PLAN programming. He helped implement one of the first mainframe-based OLTP systems. In the late 1970s when working for Rolls-Royce he promoted the introduction of Apple micro-computers – which were considered as a ‘toy’ at that time. Later he appeared as a guest on regional television, which did a program on micro-computer hobbyists. In the 1980s, John started working for the retail giant Debenhams, again on mainframes. But it was here that he was introduced to the MultiValue database of Reality. He worked on cutting-edge OLTP systems for the credit card side of the business, and developed cheap micro-computers as communications front-end processors for Reality systems to interface with EPOS via modem. He joined a management buyout and formed DISC International (later to be FBH Associates) which developed interactive Videotex systems and communications based on X.25 – bleeding-edge at the time. The company developed and installed public and private videotex-based OLTP systems for most multi-value databases based on a “Plug’n’Play” virtual machine developed in “Pick” Assembler, PMA and C. The systems stood behind British Telecom and SAPONet/BELTEL (South Africa) amongst others. They also built William Hill’s first online betting system using Prime, and (possibly the first) public online teleshopping sales systems for ASDA and Littlewoods. As technology and needs moved on, the software was enhanced to include a U2-based telephony interfaces for interactive voice applications (“PhoneData”). John later left FBH Associates to join UniData, where he worked as a consultant on COBOL Direct Connect and RedBack (now WebDE), and had the pleasure of upgrading the system at William Hill to run on RedBack. After UniData and VMARK merged to form Ardent - acquired by Informix - John moved to manage Informix “Web Solutions” Professional Services team working on projects including Lastminute.com and BBC FutureWorld. When IBM acquired Informix’s database business, John managed U2 Support and led this team for several years. On Rocket’s acquisition of the business he happily returned to the technical role he now holds. John is married to Anne, a qualified teacher, who works as a teaching assistant at their local senior school. They are very proud parents to two daughters – Siân and Ceri. Siân has two Masters Degrees and a Doctorate in Mathematics from Bath University. Ceri has a Bachelor of Science in Geography from Swansea University. Outside of work, John enjoys writing fiction, reading about Science, painting murals (personal and by commission), has published Intellectual Property in opto-electronics and location-based services, and has been part of MENSA. He says, “I don’t have a house, I have a shelter for a computer network”. John also enjoys travelling and has been to Ireland, the US, Europe, Russia and Africa but has not yet managed to add the AsiaPac to his portfolio.

0 Comments

Leave a Comment

Your email address will not be published. Required fields are marked *