GDPR (General Data Protection Regulation) will take effect on May 25th, 2018; this provides the most far-reaching protection of EU citizens’ privacy ever. GDPR includes regulation both of the content and management of data as well as its transparency and portability. The regulation has major consequences for companies and governmental organizations that process privacy-sensitive data, including their information systems, data storage and operational processes. What does this mean for existing and future IT systems development?
No, although this privacy legislation makes a very clear statement about the protection of EU citizens, it also makes clear which organizations must comply with this. These are: government bodies, public organizations and any organization or business whose core activities involve the large-scale tracking, following, or processing of personal data. All organizations that fall within this definition must meet a number of requirements (see: the GDPR explained) and can demonstrate that their information architecture is safe.
To illustrate how GDPR may impact information systems, in this example Alice is applying for a mortgage for a new home and requests advice from an independent intermediary/advisor. The advisor needs to discuss and understand a range of personal information in order to recommend the best available product available for Alice’s situation. The advisor may, furthermore, request quotations from mortgage providers, based on Alice’s circumstances. This process can raise a number of interesting questions from a GDPR perspective:
The GDPR legislation emphasizes the fact that the architecture and design of information systems must embody the concept of ‘privacy by design’. This applies the security and privacy of the information itself as well as the design of all relevant management processes and procedures. The serious impact that this has on all life-cycle phases of information systems that contain privacy-sensitive information is one of the biggest challenges for most organizations, whose information infrastructure have generally been designed without taking this new legislation into account.
The Internet, Cloud Computing and rapidly evolving new business models have already led to organizations’ application landscape becoming more complex. The additional pressure resulting from the accelerating development of new products, services, (inter)organizational cooperation forms continue to present the Enterprise-IT field with new challenges. Despite the pressure of ever-changing customer-interaction and requirements, all of which impact existing systems and processes, the challenges presented by GDPR will need to be answered.
Ensuring security and privacy as an “add-on” or an afterthought, has proved to be ineffective and difficult to manage. Experience has furthermore taught us that such needs can best not be addressed on a separate system-by-system basis. This has led to the emergence of new design approaches at an architectural level and the development of new technology elements that provide integral solutions to the underlying challenges while precluding the problems that generally result from inconsistent approaches.
The need for a consistent, systematic way of addressing security and privacy was one of the underlying concepts when Luminis created the InformationGrid – a technological interpretation of – both defensive and offensive – data strategies. Security and Privacy-by-Design were fundamental architectural starting points. The InformationGrid is a data platform that provides a solid basis for the design and development of information systems that meet the demands of the GDPR; its important features related to privacy and security include:
Following GDPR’s introduction, Alice will have considerably more rights with respect to her personal information. Companies and other organizations are obliged to provide her with insight into what information they hold about her and how it is used. She can also oblige them to ‘forget’ her – meaning that all information about her needs to be removed or made anonymous. Companies are furthermore, obliged by law, to ensure that management, and processing processes related to personal information, are transparent and predictable; violations of GDPR provisions are punishable by substantial, punitive fines.
GDPR will take effect from 25th May 2018; we have summarized a number of key questions and tips to help assess how this may impact your organization and understand the preparation that is required:
Privacy protection legislation is not new. In Europe, a set of guidelines to drive local legislation has been in place since the early 1990s. It is therefore unsurprising that many of the concepts from current legislation are reflected in GDPR. In a nutshell, GDPR is likely to be far less disruptive than the media sometimes portrays it. If your companies already comply with existing legislation, the chances of unexpected surprised are limited.
GDPR does represent a step forward however, regarding the awareness of data’s value and sensitivity. The development of a targeted data strategy that observes privacy and related regulations while providing value and services to new and existing customers does require careful consideration if organizations wish to remain agile and avoid becoming overly bureaucratic. We would love to share our experience and explain how the InformationGrid can solve a range of potential problems while ensuring current and future legal compliance.