GDPR Part III: Technology Is Your Friend

It’s now May 2018. The Regulation’s grace period is over on the 25this your company ready for GDPR? In this series of articles, I started out by trying to clarify the ambiguity of The Regulation. Last month’s article discussed the staggering fines for non-compliance. For this month, the discussion will be on the impact to the business and how technology can help in achieving compliance. Let’s start with an important process that should be a part of every company – Access Control and end with other types of technology that should be considered to meet the needs of The Regulation.

Role Based Security

As the CIO, I need to make sure that only a certain number of individuals have access to various sets of data. Role-based security is a large part of the IT function. As administrators of the internal systems, it is our responsibility to make sure that only the people that ‘need to know’ are given access to the information that they can process. This same scenario can be carried forward throughout any organization, where human resources has access to employee data, finance resources can view the company’s financial information, marketing and sales has a view into client information and product development has a view into all product specifications. The same principle applies when someone changes jobs and switches departments. In your company, is there a policy in place to make sure that an individual no longer has access to a previous set of systems that process PII? In gaining compliance, you’ll need to ask who needs to know and understand the information, then who can see and access the data, then go one step further, and ask why they should have access to this data. The answers to these questions will tell you where a person resides in your organization, what their role is in processing information and how much access they should have with someone else’s personal information.

Let’s take this example even farther.

In the above example, access control was discussed. Now let’s head down the path of data minimization, which means that individuals may have access to the same data set – but with differing views that minimize the information that can be processed. This is another form of access control within an application and technology will aid in segmenting and segregating the information, which will be based on the individual’s need to view and process information.

The use of automation

When processing a Right to be Forgotten SAR (Subject Access Request), the IT team may have to help in processing the SAR by accessing an application or storage device to delete the data subject’s personal information. In this example, let’s say that an EU Official then sends in another request – asking for information on the same data subject. The EU Official’s request trumps the data subject’s request, especially, if the reason is based on a court, police or legal entity (for a criminal investigation and the prevention of threats to public security). The data that was previously deleted, now needs to be restored. Easy right? Well, from a file perspective, it’s a backup and recovery process. But from an application, it’s harder to restore the database and logging files. Now, to add to the complexity of this example, the EU official has satisfied their need with the data subject’s personal information – the original SAR comes back into play – and you’ll need to determine where the data resided all over again and go ahead and delete it once more. If the request was a bulk delete, again automation would be key. For information that was deleted as a part of a Right to be Forgotten SAR, unless the data subject provides consent (again) to process their information, your systems will need to be smart enough to know that the data subject’s information should no longer be processed again. This scenario could happen if a restore occurred after the data subject’s information was deleted.

Security and data breaches

Personal data breaches are defined in Article 55, as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed. If your company is not employing solid security practices like real-time protection anti-virus, anti-malware and anti-spyware software, firewalls with the latest software patches, physical security (camera’s, locked doors, card entry and alarm systems) and the decommissioning and wiping of storage devices, then you could be liable in the event of a breach that causes damage to a data subject.

Pseudonymization

Pseudonymizing a data set, is a privacy-enhancing technique, where directly identifying information is held separately and securely from processed data to ensure that a data subject cannot be identified. This is another way of anonymizing data and is achieved when the data cannot be associated with the original person.

Recital 28 recognizes that the use of pseudonymization technology, can reduce risks to the data subjects, but it is not alone a sufficient technique to exempt data from the scope of The Regulation. The controller still needs consent to process and retain PII.

Recital 26 states that personal data which has been pseudonymized and still has additional information that could be attributed to a natural person, is still considered PII.

Other technical approaches to anonymizing data include tokenization, where data is broken down into smaller pieces and replaced with a token, representing a word or phrase. Data masking, where information is scrambled, hashed or blurred and encryption, where data is rendered unreadable, until a key is used to unlock or decrypt the information. Databases should use encryption as one way to achieve compliance to The Regulation.

The technologies in this article are a few ways to help your company achieve compliance, and technology needs to be paired with process and procedure. GDPR is a complex law and when in doubt, please seek the advice of legal counsel.

@2018 All Rights Reserved

Sue Bergamo is the CIO & CISO at Episerver, a global digital commerce company. She can be reached at sue.bergamo@episerver.com.

*The content within this article are the sole opinions of the author.


Add Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scott Heiferman
20 Things You Didn’t Know About Scott Heiferman
Corey Schiller
20 Things You Didn’t Know About Corey Schiller
Oscar Munoz
20 Things You Didn’t Know About Oscar Munoz
Mandy Ginsberg
20 Things You Didn’t Know About Mandy Ginsberg
Do You Really Need to Save That Much for an Emergency Fund?
10 Recession Proof Dividend Stocks You can Lean On
York Water Stock
20 Reasons You Might Consider York Water Stock
10 Creative Ways to Boost Your Social Security Benefits
airplane technologies
20 Technologies That Will Rule the World in 2020
Chatbots
The Growing Use of Chatbots in Customer Service
Data Breach
Four Reputable Companies That Faced Massive Data Breaches
Video Cards
Why are Video Cards So Expensive? Here’s the Answer
Kensington
The 20 Best Seafood Restaurants in NYC
Seattle Center
The 20 Best Hotels in Seattle 2019
The 10 Best Golf Courses in all of Ireland
The 20 Best Seafood Restaurants in Boston
2016 Mercedes-Benz GLC Class
The 10 Best Mercedes GLC Models of All-Time
Best Cadillac Escalade Models
The 10 Best Cadillac Escalade Models of All-Time
Best Ford Ranger Models
The 10 Best Ford Ranger Models of All-Time
Best Ford Explorer Models
The 10 Best Ford Explorer Models of All-Time
Oris Martini Racing Limited Edition
The 20 Best Oris Watches of All Time
Timex Men's Weekender Tan Leather Strap AnalogWatch
The 20 Best Timex Watches of All-Time
Orient Mako XL
The 20 Best Orient Watches of All-Time
The 20 Best Tissot Watches of All-Time