Long live citizens’ privacy: GDPR in short

GDPR (General Data Protection Regulation) will take effect on May 25th, 2018; this provides the most far-reaching protection of EU citizens’ privacy ever. GDPR includes regulation both of the content and management of data as well as its ​​transparency and portability. The regulation has major consequences for companies and governmental organizations that process privacy-sensitive data, including their information systems, data storage and operational processes. What does this mean for existing and future IT systems development?

Does this privacy law apply to every organization?

No, although this privacy legislation makes a very clear statement about the protection of EU citizens, it also makes clear which organizations must comply with this. These are: government bodies, public organizations and any organization or business whose core activities involve the large-scale tracking, following, or processing of personal data. All organizations that fall within this definition must meet a number of requirements (see: the GDPR explained) and can demonstrate that their information architecture is safe.

Example: Alice applies for a mortgage

To illustrate how GDPR may impact information systems, in this example Alice is applying for a mortgage for a new home and requests advice from an independent intermediary/advisor. The advisor needs to discuss and understand a range of personal information in order to recommend the best available product available for Alice’s situation. The advisor may, furthermore, request quotations from mortgage providers, based on Alice’s circumstances. This process can raise a number of interesting questions from a GDPR perspective:

  • Which parties have stored personal information about Alice in this process?
  • How can Alice find out where, and by whom this information is stored?
  • Do all parties involved meet the demands of the GDPR legislation?
  • How can Alice ensure that personal information that parties store about can also be deleted?

A new starting point: “Privacy by design”

The GDPR legislation emphasizes the fact that the architecture and design of information systems must embody the concept of ‘privacy by design’. This applies the security and privacy of the information itself as well as the design of all relevant management processes and procedures. The serious impact that this has on all life-cycle phases of information systems that contain privacy-sensitive information is one of the biggest challenges for most organizations, whose information infrastructure have generally been designed without taking this new legislation into account.

GDPR

The Internet, Cloud Computing and rapidly evolving new business models have already led to organizations’ application landscape becoming more complex. The additional pressure resulting from the accelerating development of new products, services, (inter)organizational cooperation forms continue to present the Enterprise-IT field with new challenges. Despite the pressure of ever-changing customer-interaction and requirements, all of which impact existing systems and processes, the challenges presented by GDPR will need to be answered.

Data platforms: privacy and data-security

Ensuring security and privacy as an “add-on” or an afterthought, has proved to be ineffective and difficult to manage. Experience has furthermore taught us that such needs can best not be addressed on a separate system-by-system basis. This has led to the emergence of new design approaches at an architectural level and the development of new technology elements that provide integral solutions to the underlying challenges while precluding the problems that generally result from inconsistent approaches.

The need for a consistent, systematic way of addressing security and privacy was one of the underlying concepts when Luminis created the InformationGrid – a technological interpretation of – both defensive and offensive – data strategies. Security and Privacy-by-Design were fundamental architectural starting points. The InformationGrid is a data platform that provides a solid basis for the design and development of information systems that meet the demands of the GDPR; its important features related to ​​privacy and security include:

  • Traceability: a register of who, has created, modified or deleted information, when and for which purpose.
  • Attribute-based authorization: a declarative and fully traceable authorization mechanism for accessing all data, under predefined circumstances.
  • Polyglot data storage: The InformationGrid supports a large collection of storage technologies. It enforces an unambiguous and traceable security and privacy design. This makes it possible to determine which storage technologies best suited for any specific type of information, as opposed to using technology-lead approaches.
  • Anonymizing / pseudonimizing data: secure mechanisms for the pseudonimization or anonymization of information.

Addressing the GDPR questions raised by Alice’s mortgage application.

Following GDPR’s introduction, Alice will have considerably more rights with respect to her personal information. Companies and other organizations are obliged to provide her with insight into what information they hold about her and how it is used. She can also oblige them to ‘forget’ her – meaning that all information about her needs to be removed or made anonymous. Companies are furthermore, obliged by law, to ensure that management, and processing processes related to personal information, are transparent and predictable; violations of GDPR provisions are punishable by substantial, punitive fines.

GDPR is coming. What next?

GDPR will take effect from 25th May 2018; we have summarized a number of key questions and tips to help assess how this may impact your organization and understand the preparation that is required:

  • Establish whether GDPR applies to your organization. GDPR applies to all organizations that process the personal data of European Union residents. Personal Data refers to any information through which a natural person can be identified.
  • If you process personal data, you need to answer the questions:
    1. Do you have permission to process personal data? GDPR states that the natural person that is identified by the data must explicitly give their consent.
    2. Is the data used correctly? As the owner or processor of personal data you must adhere to the principles of GDPR (see: the GDPR explained).
    3. Are you able to request permission transparently? Individuals must be asked for permission to collect and process their personal data in a clear and simple manner. After granting permission, individuals may withdraw this permission at any time- meaning that all personal information must be deleted.
  • Prepare a plan for data leaks. GDPR builds makes it an obligation to report data leaks that have existed from 1st January 2016 onwards. Importantly: is the ‘processor’ defined under GDPR is obliged to report a data breach to the ‘controller’ (e.g. the client) and the ‘supervisor’. We would also recommend that you develop a communications strategy to address potentially damaging media attention if a data breach occurs.

Finally: is the GDPR a reason for panic?

Privacy protection legislation is not new. In Europe, a set of guidelines to drive local legislation has been in place since the early 1990s. It is therefore unsurprising that many of the concepts from current legislation are reflected in GDPR. In a nutshell, GDPR is likely to be far less disruptive than the media sometimes portrays it. If your companies already comply with existing legislation, the chances of unexpected surprised are limited.

GDPR does represent a step forward however, regarding the awareness of data’s value and sensitivity.  The development of a targeted data strategy that observes privacy and related regulations while providing value and services to new and existing customers does require careful consideration if organizations wish to remain agile and avoid becoming overly bureaucratic. We would love to share our experience and explain how the InformationGrid can solve a range of potential problems while ensuring current and future legal compliance.