A CIO’s Guide to GDPR

Guide to GDPR

Becoming an agile enterprise means embracing more cloud-based services. The EU General Data Protection Regulation (GDPR) is one that organizations must be hyper-aware of when considering this move a move says Matthias Reinwarth, Senior Analyst at KuppingerCole

Agility has become one of the key virtues of modern enterprises. Reacting to changing market conditions, to constantly modified legal and regulatory regulations and to evolving customer demands at an ever-accelerating speed is a challenge, modern and forward-thinking organizations must face.

This requires modern, flexible and swift approaches at defining and providing solutions, business processes, IT services, and infrastructures. Embracing cloud services has turned out to be the most cost-effective and efficient way for the deployment of modern, scalable and flexible solutions in many if not most of the cases. With the cloud becoming the new normal for enterprise IT infrastructure, many sensitive and critical processes are deployed in the cloud.

Running services in the cloud mean that you are moving processes, code, and data onto computers and infrastructure components outside of an organization’s actual and active control. An organization as a customer of cloud services, implementing an organization’s application services on cloud infrastructure, always remains to be the data controller and therefore, is legally responsible for the data.

An important part of the data stored within cloud services is personally identifiable information (PII), i.e. data of people, e.g. customers, employees, partners or the external workforce. In parallel, the importance of customer data is increasing for many business models, as insight into customer behaviour is shaping goods and services to improve customer experience (and organizational profit).

The EU GDPR as a challenge for globally acting enterprises

The legislation related to PII is currently changing substantially for at least all EU Member States through the introduction of the European Union General Data Protection Regulation (GDPR).

New technologies and changing infrastructure concepts have led to the necessity to update the current data protection framework. This reflects today’s reality with social networks and big data technologies. The GDPR, therefore, aims at harmonizing the regulations for data protection within the EU Member States.

The requirements as imposed by the GDPR are at least partially substantially different from existing national data protection regulations previously known.

Every organization must identify, which steps are required to implement proper measures to comply with these regulations for their own processes and business models. A study executed by Egress Software Technologies in 2016 indicates the 87% of CIOs are worried that current policies and procedures might be putting their company at risk and could leave them exposed under the GDPR.

Seven key elements of GDPR CIOs need to be aware of
EU GDPR consists of an extensive set of individual requirements regarding data protection. The scope of the regulation is broad and either references or changes many aspects of existing data protection regulation and introduces many new dimensions. Following is a list of seven key elements that organizations and their CIOs should be aware of.

  1. The GDPR is an EU regulation. That means that it does not require to be converted into national laws to become effective, but that it applies directly to all EU nation states (and beyond). Furthermore, the GDPR overrides local regulations, which will subsequently need to be adapted. Nevertheless, national legislation is underway, specifying details left open from a European perspective on purpose.
  2. The GDPR will become effective simultaneously on March 25th, 2018. Organizations have been given a two-year time-period until that date, to implement the changes introduced by the GDPR. Only a few weeks more than one year of this transition period is left for getting active and achieving compliance. Otherwise, significant fines may be imposed on organizations that have not reached the minimum data protection level imposed by the new framework.
  3. The GDPR is expected to affect organizations outside of the EU as well. It applies to organizations processing data within the EU and it applies, simply put, to organizations processing personal data of EU citizens. This is regardless of the actual location of that data processor and includes organizations within the US or UK as well.
  4. Processing of personal data requires an adequate legal foundation which might be e.g. a contract or the individual, freely given, informed and well-documented consent of the data subject. Consent might be revoked at any time.
  5. The rights of data subjects (customers, leads, subscribers, users, employees, partner, external workforce and so on) are changed and in general mostly extended through the definitions of the GDPR. This includes extended information rights, the right to correct information, the right to export and transfer stored information and the often-quoted “right to be forgotten”. That right means that information that is no longer required to be stored for e.g. legal reasons is expected to be completely removed from all storage systems.
  6. Data breaches need to be detected timely and immediate notification shall be provided within a defined period of 72 hours to the responsible and associated Supervisory Authority and in defined cases also to the data subject.
  7. Many organizations will need to appoint a skilled and experienced Data Protection Officer(DPO) as the main point of contact for the GDPR and for data protection in general.This list of seven key criteria as defined within the GDPR is far from being complete, but it gives a good overview of the main areas where CIOs and their IT organization should focus their activities on.One addition is important: The potential fines for non-compliance to GDPR are prohibitively high. They might reach a maximum of €20 million or 4% of the annual group turnover, whatever may be higher.

The impact of GDPR on an agile business and its roadmap
Leveraging agile paradigms for the design and development of software and for the implementation of modern infrastructures to achieve new levels of flexibility and agility is a critical success factor for many organizations.

On the other hand, the GDPR has been designed to clarify the foundation for doing business with individuals living in the EU. It empowers the individual to decide what level of privacy they prefer on a per-use-case basis. In turn, this requires businesses to implement the ability to know about such decisions and react adequately.

The impact of the GDPR on an agile roadmap is obvious: Valuing customer and employee privacy should lead to stronger controls, more powerful threat detection and improved communication with data protection authorities. It must result in focusing on the minimal set of data required and restricting processing to that set for an individual purpose.

This subsequently leads to the overall reduction of the amount of personal data stored in possibly vulnerable systems. If richer data sets are wanted, this needs to be handled by deploying a consequent implementation of consent management to provide adequate evidence and to trace and control data being stored in all application systems.

Agility, on the other hand, requires constant changes to all aspects of business processes and their implementation in the cloud or on-premises, while making sure that reliability, stability, and security remain unchanged. All of this needs to be an implicit part of the overall agile methodology, while privacy by design and default, as well as security by design are key enablers for making agile approaches secure and compliant. That means that compliance to the GDPR needs to be embedded into the DNA of each application system and more importantly into selected APIs, selected tools and deployed, cloud services, frameworks, and platforms.

This is difficult or impossible to achieve by manually adding GDPR compliance to each-and-every existing legacy system and to every new and changing cloud application. End-to-end-security and specific (Customer) IAM platform solutions focused on the implementation of GDPR compliance are key methods to create the agile solution based on standardized building blocks. The efficient management of personal data, the management of consent and its adequate documentation to support business agility while fulfilling compliance requirements relies heavily on the deployment strong, secure infrastructure components.

As consent is provided clearly on a per-purpose basis, safeguards need to be in place to reliably prevent data processing beyond the scope of the consent provided by the data subject.

How is the protection of information changing?
Sensitive information in general and especially personally identifiable information needs to be protected from access by unwanted third parties for many reasons. That includes the protection of data in transit and at rest. Additionally, strong authentication and authorisation processes need to be in place to reduce the ability to access and process data to authorized people or services that are sufficiently strongly authenticated.

While authentication, authorisation and strong access control are a good starting point, that might not be sufficient for an appropriate level of protection. It cannot be ruled out that unwanted third parties or even national authorities in some countries may get access to the data transmitted into the cloud.

Therefore, CIOs and system owners should consider making encryption of confidential data mandatory to prevent unauthorized access on a physical and technical level.
It is understood that encryption, performance, and functionality might be contradicting aspects in an application design, but an adequate level of security and privacy should be preferred whenever possible. In that case, it might even be appropriate to use organization-owned encryption keys kept outside the cloud storage and to upload only pre-encrypted data. This can, as an example, help reducing the attack surface substantially.
Another important aspect of data protection is the continuous documentation that all access and processing is legitimate. This might be documented by implementing reliable auditing mechanisms which are hardened against tampering and deletion. However, log files and audit trails need to be considered as sensitive information as well.

GDPR and its relationship to other regulations CIOs need to comply with
CIOs today are aware of traditional data protection regulations, as they have been in place for many years. Meeting the security and compliance requirements of a variety of industry and national regulation demands for an overall, consolidated protection of PII.
Regulations such as the US HIPAA (“Health Insurance Portability and Accountability Act”) or the PCI-DSS (“Payment Card Industry Data Security Standard”) aim at the protection of personally identifiable information in health care and the payment sector. Meeting these and other, further requirements is a constant challenge for organizations and their CIOs as their representatives alike.

Therefore, it is highly recommended to follow an “Assess once, comply many”-approach: Similar and comparable controls and measures are required from various regulations. Grouping and clustering them into a single, unified policy approach can increase efficiency and speed while maintaining a higher level of transparency.

Having implemented strong controls and measures as part of a consolidated, standardized organisation-specific policy approach can then aid in providing reliable evidence of compliance for a variety of regular requirements and legal frameworks at once.
CIOs should, therefore, strive to create and maintain a single set of policies defining controls to cover the whole of all relevant regulations for the individual organization. Assessing and ensuring compliance to GDPR can then benefit from existing compliance efforts. And compliance processes for GDPR can, in turn, contribute to proving compliance with other regulations as well.

The GDPR introduces an additional, rather new set of data subject rights. They can help in providing a strong basis of controls even for upcoming regulatory requirements regarding the protection of consumer and employee security and privacy.

With that approach, GDPR does not impose the presumed incredibly high level of compliance many CIOs fear. It rather defines an entry level of compliance every organization should meet in its own interest. Moreover, every CIO should take GDPR requirements as a constant reminder to rethink data protection, security, and privacy as a benefit to both the organization and its customers and employees.

Privacy by design and default
The GDPR explicitly mentions the principles of “privacy by design” and “privacy by default”. How should this be implemented? Especially when it comes to agile software design and agile business processes all processes and their implementation through software.

In cloud services, a “privacy by design” manner, that includes end-to-end-security, strong authentication, reliable and traceable authorisation processes and the implementation of a strong and well documented consent management system. New functionalities added in an agile fashion and existing systems changing over time can then benefit from existing overall design decisions regarding strong security and privacy across all building blocks.

As a basic rule: The highest level of privacy is recommended to be the default setting for each and every configuration entry. As required by the GDPR, access to personally identifiable information needs to be made impossible unless there is a good and reliable legal or contractual basis for the actual storage and processing of data.

So “privacy by default” means that additional access rights and extended processing of existing data needs to be “switched on” explicitly (e.g. with the availability of an adequate proof of consent), rather than allowing everything by default and then having to “switch off” access as an afterthought to protect customers, employees or other identities.

Valuing identity data
Data in general and especially personal data is threatened in many ways and is by far not handled appropriately throughout the majority of commercial and governmental IT systems.

As stated above, companies and institutions that have not yet made adequate efforts at implementing processes and controls for dealing with personally identifiable information according to the GDPR, while they fall under its requirements, need to act now.
Maintaining PII in a way that is or can be made compliant means the CIOs should in the first place re-visit their attitude towards one of the most important assets they have: their customers and their employees.

They are represented within their IT systems as highly sensitive data that requires adequate protection. And this data needs to be protected from inadequate processing in many ways. That means, of course, that data may only be processed for the purpose agreed and required to fulfil an organization’s purposes. If an individual provides consent for further processing this needs to be well documented and strong evidence for the adequacy of this processing needs to be provided at any time.

CIOs and CISO’s need to understand that the value of personal data is not something that is limited to their own organization, but that there are other parties who are very much interested in exactly the same data, be it the casual hacker or highly professional, well-organized cybercrime professionals.

The damages incurred by data leakage or a targeted data breach harms all involved parties from the organization to the individual account owner. That is exactly where GDPR comes in to finally get to an adequate management of PII to the benefit of all parties involved.

Matthias Reinwarth is Senior Analyst at KuppingerCole, Click the image to connect on Linkedin

Matthias Reinwarth is Senior Analyst at KuppingerCole focusing on Identity and Access Management, governance and compliance. He has consulted in the Identity Management sector since 1993. Matthias’ areas of expertise cover all major aspects of IAM including technology and infrastructure, data and entitlement modelling as well as IAM processes and governance.

Continue to the next part of the article:

A legal overview of GDPR for CIOs