This blog post is certainly a bit different from my usual repertoire, however I strongly encourage any ‘Architect’ level person to have a good grasp of the implications to their customers.
Overview
In it’s essence General Data Protection Regulation (GDPR) strengthens the rights of individuals in the European Union (EU) to control their personal data. This places emphasis on businesses ensure they have adequate privacy and data protection measures whilst protecting personal data by design and default.
Individuals will have significantly enhanced rights, such as to access and receive a copy of their personal data, as well as to have it erased.
It should be noted that companies who violate the GDPR could face fines up to the greater of €20 million or 4% of annual global turnover (revenue), whichever is greater. GDPR actually become law in the EU on 27 April 2016 but given the significant changes faced, a two year transition was granted, which means that enforcement begins on 25 May 2018.
For more GDPR information visit the Information Commissioners Office.
Key Concepts
GDRP is structured around six principles which are:
- Requiring transparency on the handling and use of personal data.
- Limiting personal data processing to specified, legitimate purposes.
- Limiting personal data collection and storage to intended purposes.
- Enabling individuals to correct or request deletion of their personal data.
- Limiting the storage of personally identifiable data for only as long as necessary for its intended purpose.
- Ensuring personal data is protected using appropriate security practices.
Key Changes
Microsoft have broken down the key changes to GDPR under four key verticals which are:
- Personal Privacy – Individuals have the right to :
- Access their personal data
- Correct errors in their personal data
- Erase their personal data
- Object to processing of their personal data
- Export personal data
- Controls & Notifications – Companies will need to:
- Protect personal data using appropriate security
- Notify authorities of personal data breaches within 72 hours
- Obtain appropriate consents for processing data
- Keep records detailing data processing
- Transparent Policies – Companies are required to:
- Provide clear notice of data collection
- Outline processing purposes and use cases
- Define data retention and deletion policies
- IT & Training – Companies will need to:
- Train privacy personnel and employees
- Audit and update data policies
- Create and manage compliant vendor contracts
Challenges
Let’s have a look at a scenario around the starters and leavers process. Bob leaves the employment of VMFocus after 10 years service and is moving onto pastures new. Bob requests that VMFocus erases his personal data, what could this effect?
- Active Directory credentials as most are personally identifiable including device logins
- Line of business applications which hold user specific credentials
- Database records
- Email records
- ERP systems
- File systems
- HR records
All of the above items are fairly straight forward to erase data, however thought needs to be given to the order of data removal as a significant number of applications are Active Directory integrated to provide either Same Sign-On or Single Sign-On.
Outside of this, real consideration needs to be given to the 10 years worth of backups that hold Bob’s details, how does VMFocus go about restoring information of tapes and then deleting this? What are the implications in man hours to undertake such as task?
Three months after Bob requesting his personal data is removed, VMFocus is scrutinised and a specific client file and email that Bob was working on needs to be accessed. How does VMFocus go about providing these details?
From a technical perspective, these are some of the questions we need to start thinking about answering. The next few months are going to be very interesting and I expect we are going to see a few companies on the news with GDPR breaches.
VMFocus 