It’s now May 2018. The Regulation’s grace period is over on the 25th – is your company ready for GDPR? In this series of articles, I started out by trying to clarify the ambiguity of The Regulation. Last month’s article discussed the staggering fines for non-compliance. For this month, the discussion will be on the impact to the business and how technology can help in achieving compliance. Let’s start with an important process that should be a part of every company – Access Control and end with other types of technology that should be considered to meet the needs of The Regulation.
Role Based Security
As the CIO, I need to make sure that only a certain number of individuals have access to various sets of data. Role-based security is a large part of the IT function. As administrators of the internal systems, it is our responsibility to make sure that only the people that ‘need to know’ are given access to the information that they can process. This same scenario can be carried forward throughout any organization, where human resources has access to employee data, finance resources can view the company’s financial information, marketing and sales has a view into client information and product development has a view into all product specifications. The same principle applies when someone changes jobs and switches departments. In your company, is there a policy in place to make sure that an individual no longer has access to a previous set of systems that process PII? In gaining compliance, you’ll need to ask who needs to know and understand the information, then who can see and access the data, then go one step further, and ask why they should have access to this data. The answers to these questions will tell you where a person resides in your organization, what their role is in processing information and how much access they should have with someone else’s personal information.
Let’s take this example even farther.
In the above example, access control was discussed. Now let’s head down the path of data minimization, which means that individuals may have access to the same data set – but with differing views that minimize the information that can be processed. This is another form of access control within an application and technology will aid in segmenting and segregating the information, which will be based on the individual’s need to view and process information.
The use of automation
When processing a Right to be Forgotten SAR (Subject Access Request), the IT team may have to help in processing the SAR by accessing an application or storage device to delete the data subject’s personal information. In this example, let’s say that an EU Official then sends in another request – asking for information on the same data subject. The EU Official’s request trumps the data subject’s request, especially, if the reason is based on a court, police or legal entity (for a criminal investigation and the prevention of threats to public security). The data that was previously deleted, now needs to be restored. Easy right? Well, from a file perspective, it’s a backup and recovery process. But from an application, it’s harder to restore the database and logging files. Now, to add to the complexity of this example, the EU official has satisfied their need with the data subject’s personal information – the original SAR comes back into play – and you’ll need to determine where the data resided all over again and go ahead and delete it once more. If the request was a bulk delete, again automation would be key. For information that was deleted as a part of a Right to be Forgotten SAR, unless the data subject provides consent (again) to process their information, your systems will need to be smart enough to know that the data subject’s information should no longer be processed again. This scenario could happen if a restore occurred after the data subject’s information was deleted.
Security and data breaches
Personal data breaches are defined in Article 55, as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed. If your company is not employing solid security practices like real-time protection anti-virus, anti-malware and anti-spyware software, firewalls with the latest software patches, physical security (camera’s, locked doors, card entry and alarm systems) and the decommissioning and wiping of storage devices, then you could be liable in the event of a breach that causes damage to a data subject.
Pseudonymizing a data set, is a privacy-enhancing technique, where directly identifying information is held separately and securely from processed data to ensure that a data subject cannot be identified. This is another way of anonymizing data and is achieved when the data cannot be associated with the original person.
Recital 28 recognizes that the use of pseudonymization technology, can reduce risks to the data subjects, but it is not alone a sufficient technique to exempt data from the scope of The Regulation. The controller still needs consent to process and retain PII.
Recital 26 states that personal data which has been pseudonymized and still has additional information that could be attributed to a natural person, is still considered PII.
Other technical approaches to anonymizing data include tokenization, where data is broken down into smaller pieces and replaced with a token, representing a word or phrase. Data masking, where information is scrambled, hashed or blurred and encryption, where data is rendered unreadable, until a key is used to unlock or decrypt the information. Databases should use encryption as one way to achieve compliance to The Regulation.
The technologies in this article are a few ways to help your company achieve compliance, and technology needs to be paired with process and procedure. GDPR is a complex law and when in doubt, please seek the advice of legal counsel.
@2018 All Rights Reserved
Sue Bergamo is the CIO & CISO at Episerver, a global digital commerce company. She can be reached at firstname.lastname@example.org.
*The content within this article are the sole opinions of the author.