General Data Protection Regulation – Implications and tooling for GDPR readiness, Part 1 of 2
With the massive and continuing growth of technology into everyday life, the new European Union General Data Protection Regulation (GDPR) is the EU response to this intrusion. GDPR is an attempt to regulate and limit the use that may be made of all personal data. Its aim is to ensure that Data Protection is built-in to systems and processes by design and by default, extending to all facets of data management by making the Data Subject (every person in the European Union is a Data Subject) the owner of all data collected on the Data Subject.
It comes into full effect on May 25th, 2018. GDPR includes:
- Data collection
- Only the absolute minimum of data necessary for a specific purpose be collected
- Data storage
- When data is no longer required for the express purpose for which it was collected then it must be erased. Security and privacy must be inbuilt.
- Data use
- Data can only be used for the specific and express purpose for which it was collected under the heading of Informed Consent”. Consent by a Data Subject to use their personal data can be withdrawn at any time.
- Data content and accuracy
- A Data Subject can request full access to ALL their personal data at any time and require correction of any inaccurate information or exercise their “Right to be Forgotten” (RTBF).
- Data Sharing
- Not allowed unless express “opt-in” permission is given by the Data Subject for an express purpose. Requires formal GDPR compliance from all parties with access to the data from end to end. A Data Subject is however the sole owner of all information held on them and if they exercise their “right to access” then all their personal data supplied to them is theirs to do with as they will – it cannot be supplied “In confidence” or under any other restriction on use.
- Evolution and change
- GDPR introduces a requirement for “continuous risk assessment” – a responsibility of the Data Controller and required to be both “appropriate” and “state of the art”.
- Monitoring and Compliance
- Responsibilities include formal processes and set notification criteria in the event of a breach. Penalties for a breach or a discovered unnotified breach can be significant, even in terms of a large international corporation’s turnover – up to 4M Euros or 4% of annual worldwide turnover.
GDPR affects every organisation that holds data on a person and where that person is in the European Union. It applies regardless of location – if you are collecting, processing or storing data on EU residents then you are included.
What it means for Businesses in terms of MultiValue (MV) application platforms
Firstly let’s look at where data exists and is held (these are not necessarily the same thing). While there are sure to be other examples, the list covers almost all scenarios either directly or indirectly:
- In disk storage – after all, that is where the data is held – in accounts and files.
- In transit – data needs to get into and out of systems and typically there are one – or more – network connections over which data is exchanged whether to a terminal, a web server or web service, or similarly network-connected device.
- In backup storage – wherever held.
How U2 can help address GDPR requirements – Tooling
- Data in Transit – All U2 client software supports full data encryption for data exchanged between a client and a server using secure protocols based upon the – continually evolving – industry standard OpenSSL libraries. The U2 implementation also encompasses FIPS 140-2 compliant algorithms so ticks all the boxes for encryption standards.
- Data at Rest – The U2 databases also provide encryption of data held in data files – whether with a record body, in an ID, in an index or in backup copies. This too is based upon the industry standard OpenSSL libraries providing a secure platform for ongoing data security.
The built-in features also allow separation of data by user role and entitlement at the physical level, where different files – or individual fields in individual files – can be separately and securely encrypted. Rights to access and any element of data can be granted globally, to a group of users or to an individual user with the assurance that unauthorised users are incapable of accessing – or indeed understanding – encrypted data if they have not been positively granted access.
- U2 direct costs – none – these features are included in all the U2 clients, servers and tools at no additional cost.
Look for Part II of my blog next week and in the meantime, if you haven’t seen it and want details about specific articles of GDPR and how MultiValue can provide the capabilities you need to fulfil many of these requirements, read the Rocket General Data Protection Regulation (GDPR) and Rocket MultiValue Databases brochure.