With the arrival of GDPR, ‘Privacy by Design’ has become a new and important requirement for systems in which privacy-sensitive data are processed. This not only means that such systems must handle personal data securely, but that data may only be collected for a specific purpose. With the advent of data platforms, a requirement has emerged to systematically and centrally manage the current and future data in information systems. The availability of a centrally managed data platform to ensure security as well as legal and policy compliance is a logical and important development.
‘The InformationGrid’ is a Data Platform that is designed with security and privacy as important starting points. It also provides a number of features and functions that make the implementation of systems that meet the demands of the GDPR clear, manageable and traceable.
The design of the InformationGrid is based on the premise that reality (and hence, the data associated with it) evolves over time, and that systems must be able to deal with this evolution. The InformationGrid therefore, uses centralized definitions of information based on schemas and attributes. By managing these schemas and attributes the evolution of data can take place in a controlled and traceable way. To allow data to evolve, the InformationGrid provides multiple features that support the GDPR’s requirements for transparency, traceability and the right to be forgotten, including:
The InformationGrid registers the times and conditions under which information is created, modified or deleted. Traceability is achieved through a combination of two techniques: a classic audit trail is maintained by means of a declarative model. The InformationGrid keeps track of extra information about the use of the data without the need for extra programming effort. Secondly, the InformationGrid supports application development based on “event sourcing”; whereby the traceability of data is an integral aspect of the storage form of the data (events).
Next to registering the creation and modification of data, managing who has access to specific data and the circumstances under which such access is available is essential; this is achieved by the InformationGrid based on conditional authorization rules e.g. access to personal data is not only restricted to functional roles, but conditional upon location(s) and time(s), and optionally other factors. This provides access rules that are dynamic and can evolve over time, while providing insight into the prevalent rules, organization structure and procedures at the time that information was created or modified. The InformationGrid uses a declarative technique for Attribute Based Access Control (ABAC) to offer a traceable authorization mechanism. ABAC uses authorization rules based on attributes (properties) of an applicant, information, action and context to determine whether the applicant is allowed to perform an action. The InformationGrid also supports Role Based Access Control (RBAC), a variant where roles and authorization rules are used.
The Application Landscape of most companies means that storage solutions are selected, taking into account the volume(s) and nature of different data types as well as other factors e.g.: frequency of access, updates and the distribution of access locations. The InformationGrid therefore, supports multiple data storage technologies so that storage solutions can be chosen based upon their suitability for different types of data. Because the security and privacy features of the InformationGrid exceed the integration of individual databases, it is possible to use different databases and still still meet the demands of the GDPR.
The right to be forgotten and the right to transfer can be a challenge when building systems that also offer statistical or analytical overviews from a historical perspective. This issue can be resolved by anonymizing or pseudonymizing data. The most significant difference between these two is that pseudonymization is reversible and anonymization is not. Whereas GDPR covers anonymized data it does not apply to pseudonymous data. By pseudonimizing data, that part of any data that allows it to be used to identify an individual is replaced through encryption (a pseudonym is created). When anonymizing data, the personal data is transformed into data so that it is no longer possible to identify a natural person on the basis of that data. The InformationGrid contains mechanisms for both techniques.
The InformationGrid allows information types to be identified as ‘Personally identifiable information (PII)’ or ‘sensitive personal information (SPI)’ through an attribute in that information’s definition (schema). The InformationGrid will apply the correct pseudonymisation and anonymisation on the basis of these attributes.