What is GDPR, and Am I Affected?
The GDPR (General Data Protection Regulation, EU 2016/679) is coming, and there’s nothing we can do to change that. Just about every organization that deals with EU customers will likely need to take the steps necessary to implement it.
GDPR was developed by the European Parliament, and its regulations aim to formalize data protection rights and regulations, and “to give control back to citizens and residents over their personal data and to simplify the regulatory environment […]”.
The Regulations were formally drafted in April 2016, and are required to be implemented by May 25, 2018. The GDPR rules affect everyone who:
- Has a presence in an EU-Member Country
- Processes personal data of European residents
- Employs more than 250 persons
- Or employs fewer than 250 persons, but its data processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive data [source].
[The last one encompasses pretty much everyone else.]
So now that we know who is affected, and when, let’s talk about what effects it’s going to have on the way we work, the organizations we support, and how we can ensure we’ll be GDPR compliant when the time comes.
How will GDPR affect me?
GDPR is going to require creation of new processes and controls, and will even mandate creation of a new position to enforce them. There are 99 articles that spell out GDPR’s requirements, limitations, and rights granted to citizens. To make understanding the path to GDPR compliance easier, the following is a high-level list that outlines the five ‘core’ rules of GDPR that will require immediate attention from your organization (though you could read all 99, if you like!), and the articles that establish them. Other articles then detail out the specific compliance requirements:
- Article 37-39: Nomination of a Data Protection Officer: You’ll need a ‘DPO’ to assist the controller or processor in their role (which must be separate from your Compliance Officer. Your DPO’s role will be similar, however more IT focused). Companies may be able to nominate a current employee to the DPO position as long as there is no conflict of interest.
- Article 5: Management of Customers Privacy, and related in Article 10 &17:
- Creation of a Data Protection Plan (DPP): Many organizations may already have something in place that can serve as a starting point to create a DPP that is compliant with GDPR.
- Establishment of the “Right to erasure” [detailed in Article 17]: Also known as the “right to be forgotten,” this section deals with data subject’s rights to have their data purged
- Data Portability Requirements [established by Article 20]: Establishes ‘rights’ regarding personal data transfer between systems
- Articles 33 & 34: Outline Rules Around Reporting of Breaches:
- The Data Controller is legally obligated to immediately report a data breach to the Supervisory Authority; Immediately, as defined by GDPR is within 72 hours.
- Sanctions for noncompliance [detailed in Article 83]: Prescribed GDPR penalties and fines for violations of GDPR can be huge – The larger of €20 million, or up to 4% of global annual turnover.
- Article 25: Protection by Design / Default: Requires that business processes are designed with data protection in mind, with stringent default privacy settings
- Article 32: Formalizes Record Keeping Requirements: Sets requirements for retention of processing records
- Be prepared to prove you have risk mitigation in place: This can be as important as the actual mitigation, in many cases
- Leverage existing controls: Build off the controls you already have in place to meet GDPR requirements
- Implementation of Pseudonymization: Personal data will need to be transformed to be unidentifiable
To start down the path to compliance, you’ll need to nominate a Data Protection Officer to handle accountability for GDPR. If you are compliant with the existing Data Protection Act, some of the above might look familiar, but GDPR compliance also means some big changes to the “standards” that we’ve all gotten used to – many of which have been only loosely enforced – and only then for certain industries (HIPPA and the like for the medical industry, PCI for the payment industry, SOX, etc.). While the DPA and other standards were adequate for the past, far more companies are able and have proved willing to stockpile more and more sensitive user data, while breaches have become far larger and more commonplace.
How can I make sure I’m ready for GDPR?
Now that we’ve looked at the requirements and regulations GDPR is going to bring down, we can think about how to get compliant. Aside from hiring your DPO as outlined in Articles 37-39, your road to achieving GDPR compliance can be broken down into 3 main phases:
- You’ll want to begin by documenting the current state of your infrastructure. To comply with GDPR Article 5, you’ll need to ensure you’re properly managing customer data. This means you must first be able to identify the databases and other repositories in which customer (GDPR) data is stored, and how it moves about your environment. Using Device42, you can discover and document your entire infrastructure including all databases and all applications that access those databases.
- Next, you’ll examine your discovery findings, and scrutinize your infrastructure and processes for issues that aren’t compliant with GDPR’s Article 5 (and related) provisions regarding the management of customer privacy and processing of customer data. Using Device42 you can:
- Find all your databases via Device42. You can then examine those databases to make sure they are compliant with any “data at rest” regulations.
- Document data at rest compliance using Device42 custom fields.
- See which applications access which databases. You can then examine those applications to make sure they are compliant (e.g. encryption and anonymization).
- Document compliance of data in motion using Device42 custom fields.
- See which applications are moving data out of country via Device42 and determine compliance.
- Document compliance for applications that move data out of country.
- Create compliance reports using Device42.
- Last, you will want to update existing non-compliant processes and implement a protection by design philosophy per GDPR Article 25 into all new processes. Formalize your documentation and record keeping processes as per Article 32 by designating Device42 as an official source of record. You will find that most of the data can be stored in Device42 so that you have your infrastructure documentation and compliance information all in one single source of truth.
Understand Where You Are Today
Planning and tracking the changes your business and its supporting IT infrastructure will require to achieve GDPR compliance can prove challenging, as many companies don’t know the ins and outs of their infrastructure as it sits and don’t know where to begin. To comply with GDPR, you need to be able to answer questions like “Do you know how your business uses data?”, and “What types of personal data do you collect and use, and where is it stored?” Device42 helps you answer these questions, and more.
Creation of a plan to obtain and to stay GDPR compliant first requires that you know exactly what you have in your data center today, and how the hardware, software, and services your data center supports interact with each other, and the interdependencies between all of them.
Once you understand your infrastructure, its applications, and its interdependencies, you can identify and map customer data “hot spots” and understand data flows throughout your organization. Identifying where the customer data you possess lives and how it moves are key steps in establishing GDPR compliance.
Analyze your Existing Processes
Now that you have the data available to answer important compliance questions, pre-GDPR business processes will need to be re-examined and possibly re-written, both within and outside the walls of the IT organization. Outdated or non-existent standards will need to be replaced or created, with privacy centric versions taking the forefront to protect both our personal and business identities in this online world.
The good news is that if you are compliant under the DPA (Data Protection Act), many of those standards will remain valid, and will function as solid building blocks for GDPR.
Implement Protection by Design & Formalize Your Documentation Processes
Going forward, protection by design will need to be built into all your processes as part of GDPR Article 25 compliance. This is one of the larger challenges around GDPR compliance, as all processes will require documented proof that they were designed with a security-first mindset. Device42’s automatic, detailed, and accurate documentation of your IT Infrastructure and its interdependencies can be leveraged in conjunction with custom fields that you can use to store other relevant compliance details to provide the accountability and audit trail you need to demonstrate that reasonable protections were designed into your processes for Article 25 compliance.
GDPR Article 32 requires the formalization of record keeping processes. Designating Device42 as a formal source of infrastructure record will help you comply with this requirement. You’ll also be able to leverage Device42 to monitor other compliance related changes to your infrastructure, and to report on compliance going forward.
Your Data Protection Officer will need the ability run on demand and automated reports to answer GDPR audit-related questions, that can demonstrate GDPR compliance, and to identify possible sources of non-compliance to be addressed. As an example, your DPO could configure Device42 to trigger an alert any time credentials to a sensitive data store are accessed. Device42 is also GDPR Article 20 compliant, allowing your DPO to perform CSV exports of any documentation in your CMDB when requested.
Device42 Helps You Comply With GDPR
Along with formalizing Device42 as a source of GDPR record to meet the requirements of Article 32, Device42 will also help you comply with GDPR Articles 33 & 34. Articles 33 & 34 establish the requirements around data breaches, which must be reported within 72 hours. This short timetable can prove challenging for many organizations. Proving you had put mitigations in place per article 42, and identifying how those risk mitigations failed, and reporting the breach all must happen within that 72-hour window. This will require significant planning and practice.
Device42’s secure password management makes the implementation and use of strong, GDPR-ready password management a user-friendly process, offering fast, easy search, granular permission controls, and even includes the ability to do things like securely copy passwords without even displaying them on screen. This ensures that only authorized users can access passwords and the data it protects, and that’s a core principle of GDPR.
Device42’s complete infrastructure tracking, granular security controls, history, audit trail, and external logging provides many of the tools your DPO needs to analyze a possible breach, collect the related details, and help to produce the required breach report within the allotted 72 hours. We all hope we won’t ever have to be the ones reporting on a breach, but there’s peace of mind in knowing that you have the proper tools to do so if it were to happen.
With Device42 by your side, you have all the tools you need to plan and implement GDPR’s new requirements before the 2018 deadline, ensuring both your organization’s and your personal online and offline identities stay safe and secure. Best of all, you’ll have the documentation to back it all up.
Thanks for reading! Are you already using Device42 to help implement GDPR? Have you used Device42 to solve any GDPR-compliance related issues in your organization? We’d love to hear any stories you might have to share, questions you might have, and your comments, too! Feel free to leave them here, or to drop us an e-mail.
And of course, if you aren’t a Device42 user already, Download a free 30-day full featured trial and see just how easy Device42 makes it to gain a thorough understanding of your infrastructure and all its interdependencies, and get on the path to GDPR compliance today!