GDPR: Tips for Getting Serious About Compliance in May
GDPR: Tips for Getting Serious About Compliance in May
With the GDPR less than two months away, what is your team doing to ensure your data's compliance and security? Read on for a few helpful tips.
Join the DZone community and get the full member experience.Join For Free
Get ready. The European Union’s General Data Protection Regulation (GDPR) will be taking effect on May 25 of this year. The GDPR will greatly tighten existing EU rules on data protection and privacy and add new requirements beginning this year. This will significantly impact not only European companies but any company that does business in Europe.
Many firms are worried about compliance with the GDPR and believe their organization is not prepared to handle these global data privacy regulations.
To be in compliance with the GDPR, it is critical to understand the nature of personally identifiable information (PII). The EU classifies PII as two or more data elements that could be used to uniquely identify an individual, such as a person’s name and government ID number.
Under the GDPR, any data item that is personal to a data subject is considered PII. Thus, a person’s name or email address may be considered PII, as well as anything that can be tied back to the sensitive data element. Whether this is seen as an expansion or clarification of EU law about PII, it is clear that the rules are changing.
The GDPR makes it clear that the data subject is the owner of his or her personal data. GDPR requires organizations to have the policies and processes in place to protect the following rights of data owners:
Right to Erasure – the right of the data owner “to be forgotten” and have his or her personal data removed from the system.
Right to Restrict Processing – the right of the data owner to request that his or her data be marked “restricted” and not accessed or processed without express permission.
Right to Data Portability – the right of the data owner to export personal data in a machine-readable format so it can be transmitted between service providers.
Right to Rectification – the right of the data owner to have errors in personal data corrected, and the right to be notified in a timely manner of a breach of PII.
Right to be Informed – the right of the data owner to have access to personal data in a readable and understandable form.
Safeguarding these rights will be a challenge for businesses, especially for their application developers, DevOps, and security staff. Application developers, in particular, must account for a slew of new requirements in both the design and update of their applications, including (but not limited to) consent management, data minimization, and pseudonymization in which data is replaced by a pseudonym.
As more and more application development teams use agile methodologies, the ability to deliver and maintain applications that are “secure by design” and adhere to the “privacy by design” philosophy espoused by GDPR will be difficult but necessary.
The challenge lies in the nature of data itself. Data permeates every crevice of an organization, its systems, and its infrastructure.
When a company creates and processes information, that data is in motion. Then, the data passes through the system to its new home on storage media, becoming data at rest.
Tools to enforce and measure compliance are often applied to data at rest. While data at rest is considered to be less vulnerable than data in motion, attackers often find data at rest more valuable than data in motion.1
Encryption plays a major role in securing data at rest. To protect data at rest, enterprises can encrypt sensitive files prior to storing them, encrypt the storage drive itself, or apply policies to protect the storage boundary.
For protecting data in motion, enterprises often encrypt sensitive data prior to transport, use encrypted connections (HTTPS, SSL/TLS, FTPS, etc.), or both.
Encrypting data at rest and securing channels for data in motion are important first steps for security, but they do not guarantee that sensitive data is protected. If PII data is shared with a software-as-service (SaaS) partner or external service provider and a breach occurs, both the originating and receiving companies may be liable for the breach under the GDPR. So even if a company secures its own data, it can be liable if the receiving company is insecure. Thus, it is critical to secure every layer of the infrastructure that interacts with sensitive information.
To determine and enact appropriate security measures that comply with the GDPR, we must understand the anatomy of data — its creation, transformation, and flow across the data processing lifecycle. We should ask the following questions: Where did the data originate? Where is the data used? How is the data protected at each stage?
When armed with this information, organizations are able to identify data security violations and vulnerabilities and come under compliance.
Organizations must prioritize five specific actions to prepare for the impending requirements under the GDPR:
Discovery and classification of sensitive user data as well as business domain-specific data that leverages sensitive data.
Data flow analysis across microservices, business partners, and service providers.
Authentication and authorization controls.
Codifying policies and procedures to track data flow across services and between business partners and services.
Continuous measurement of compliance and violations.
Every successful business is based on the premise of collection and exchange of data. Putting into place the right strategies and systems can keep your business compliant with these new global data security regulations and secure for years to come.
Data Protection: Data in Transit vs Data at Rest by Nate Lor
Published at DZone with permission of chetan conikee . See the original article here.
Opinions expressed by DZone contributors are their own.