18 Apr How IT Departments Can Ensure Compliance with Data Protection Regulation (GDPR)
I think I have about 50 different online accounts in various discussion forums, eCommerce and auction sites, vendor registration databases, airlines, railways, banking and insurance, healthcare, government repositories, cloud services, social media, providers (energy, broadband, mobile etc) and IoT and connected devices. 50 might be a big understatement, I just don’t know anymore. I’m everywhere and they have all of my information. They may not have the information on my favourite color, which happens to be grass green – there, now even this information is in the public domain. Some of the sites are within the EU and some outside of it.
How Do Users Feel About Their Data?
The struggle between their need to know everything and my reluctance to disclose anything is constant. Some of the sites I use have a lot of garbage or out of date information instead of facts about me. I have a “trash” email account for registration purposes and the attributes I jot down to the forms are usually very accurate; Name: Jason Vorhees, Address: Elm Street 13, City: Chainsaw, State: Texas. Glancing at my registration information, you might deduce that I like documentaries about the darker side of human nature. For sites and services where I actually get something important, or physical in return, I have to use my real information. I’d hate to see my electricity go to Freddy Kruger.
In almost all cases I haven’t got the faintest clue how these sites are handling my data. This is mostly due to my lazy nature (don’t tell my boss). I just can’t be bothered to read the privacy statements and determine if the provider is worth my trust and I think in that respect I’m in the vast majority of online users. If I need or want something, I just hunker down and let them know about me and my real address, or other non-relevant but mandatory attributes they absolutely need to be able to send me the memory card. One thing I do look out for is a green address bar on my browser, indicating the site is using the most advanced type of SSL Certificate, encrypting the data being sent via the site. Without the green bar, I usually search for an alternative provider.
Data Protection Regulation for Organizations
Companies collecting my information for one reason or another are operating under regulations. Between the US and the EU there is a huge difference in how personal data should be treated. In the US my attributes, behavioural patterns, shopping habits etc. are typically free game. In the EU the privacy laws or regulations are much tougher. The new proposed General Data Protection Regulation (GDPR) intends to update the older data protection rules. The purpose is to create a harmonized regulatory environment across Europe and make it clear under which rules personal data should be treated. A very welcome change is that companies handling personal data will be accountable to the local authority with the benefit of European wide coverage. Compliance in one country means EU wide compliance.
Another aspect of the regulation is to give the citizens more control over their data and make it easier to access your own data. Data portability could open up opportunities for competition in practically any field, from social media to the financial industry. I’ve been toying with the idea of creating a new revolutionary European based social media site called Facialitterature where people could share pics of food and drink and crafty memes. Groundbreaking – eh? Under the new regulation Facebook users could transfer their data to the new Facialitterature service if they so wished.
Access to data
If you need to store data about your customers, users or other stakeholders you have two main types of access conditions to consider; internal access and external access.
The collected data should only be used for the purposes outlined in your privacy statement. For internal access it means that you can’t really make the data repository available to all your employees and their curiosity. Only those who have a valid reason should have access to it. This typically means that certain people within your organization are authorized to view the data, or even modify it.
External access requirement means that you should be able to grant access to your users to their own data. If the service needs to collect more than the basic identity attributes, the data set can become confidential. Access to this data should be protected accordingly. Having a social login to a data set containing credit rating information, social security numbers, invoicing data etc. is a bad idea.
Protecting the inert data
While the data rests in your repositories and you’ve made sure only authorized people in your organization can view it, you should make sure that if the data leaks out, it will stay protected. Encrypting the data is a very wise thing to do.
You should also consider ways to handle access rights of privileged users. The IT administrators who have practically an all-access pass to each and every system should also fall under the same group of users who are authorized to view / access the data. Usually they are not in that group.
APIs and transferring the data
When you jump on the API economy bandwagon and expose interfaces to the Internet where someone can send a request you should be extra careful of:
- Who can request this data.
- What will your answer include.
- Preferably create your answer in a way that it stays confidential (encryption again).
Consent and authorization
Something that is important, if you decide to share the data you control, is user consent. If your users haven’t agreed to share your data with third parties, you should not do so. The consent clause can be embedded in the Terms & Conditions that no one reads, but a good practise is to actually inform your users in a humane way if you share their data and ask for active consent – they would specifically grant you permission to share their data. A good example of this is when I use my Mobile ID to login into my insurance company online service. The data controller is my mobile network operator and the relying party is the insurance service. When I go through the authentication process the last thing I have to do is to give my consent that the operator can send some of my identity attributes to the insurance service. If I don’t like the idea, I can cancel the process.
Right to be forgotten
The right to expunge your information from the data repository is already being implemented. I can ask Google to forget me and like magic the search results for “Petteri Ihalainen” would start featuring someone else with a same name.
This privilege to be expunged might be challenging to implement if your company is running multiple repositories of personal data. The advice I can give you here is consolidation. We have had customers who have successfully consolidated their data repositories and not only managed to create cost savings, but also created a much more consistent way of handling personal data.
The GDPR will change how personal data is treated within the EU. The next part of my blog I’ll take a look at concrete examples how Identity and Access Management (IAM) can help you (yes – I’m doing a sequel and no it does not feature yet another very big round thing that can destroy planets).