Beyond GDPR Compliance: Using Technology to Stay Ahead of the Curve
By Soumik Sarkar
What is GDPR?
The General Data Protection Regulation, or GDPR, set forth a collection of legal guidelines that govern the handling of personal information for individuals in the European Union. The history behind this data reform and regulation was four years in the making. In 2012, the EU made a concerted effort to ready Europe for the digital age, and after four years, the final regulation was agreed upon. The deadline for full compliance recently passed, on May 24, 2018.
GDPR attempts to address new data and privacy challenges that arise from increased digital transactions as well as the emergence of Big Data and analytics, which has increased the demand for and the commodification of personal data. One of the biggest changes with GDPR is the scope of entities that are required to comply. It now applies to all in the EU as well as companies that handle personal data for individuals residing in the EU, which functionally impacts businesses on a near-global scale.
One of the ultimate goals of GDPR is to get to a state where data protection safeguards and protocols are an inherent part of product and service design from its earliest stages. This goal is a key strategy for protecting consumers while ensuring they feel confident in the security of their data and providing greater accountability for organizations that do not take the appropriate safeguards. This goal is significant in relation to the number of data breaches that have occurred in recent years, and the increased risk that is sure to occur as more functions of everyday life move to digital platforms.
What happens if I don’t comply?
The penalties for non-compliance to GDPR are stiff, and deliberately so. In the wake of severe data breaches, customers were often not alerted to the breach until long after in occurred. This limits the amount of ‘damage control’ that can be taken by the victims of a breach. The maximum fine for a data breach is 4% of annual global turnover, or €20 million, whichever is greater.[i] Fines for non-compliance are tiered depending upon business size, the extent to which security measures were taken, and the scope of the breach. They are also levied under two different data-handling definitions: as a processor or a controller.
- Controller – A person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of processing of personal data.
- Processor – A person, public authority, agency or other bodies which processes personal data on behalf of the controller.
The controller role will have much more legal liability in the event of a breach, whereas the processor obligations are a new component, introduced with GDPR. The burden of ensuring compliance is placed upon the organization solely.
Compliance is not simply about ensuring the safeguards are in place though; GDPR also prevents companies from using terms and conditions that ‘bury’ or ‘mask’ the policy in lengthy legal language. Consent forms must now be intelligible, easy to access, and easy to withdraw. Individuals also have several other rights under the GDPR framework.[ii]
- Right to Access – Means that an individual may request information about how their personal data is being collected and used. The controller is required to provide this in electronic format, providing for greater transparency.
- Right to Be Forgotten – In the event that an individual would like the data that has been collected on them to be erased, they may request this. It also ensures that they can stop the dissemination of this data.
- Data Portability – Ensures that individuals can receive their own personal data in a ‘commonly used and machine-readable format,’ and can transmit data to another controller.
Additionally, breach notifications must be addressed in a timely manner. When a data breach potential risks to the rights and freedoms of individuals, they must be notified within 72 hours of the breach discovery.
Given the scope of actions (or non-actions) that can incur penalties, as well as the large financial amount of the penalties themselves, GDPR compliance will remain a high priority for businesses. With the GDPR compliance deadline lapsed, many companies have made the initial, and sizeable, investment for implementing data safeguards. However, there is still a long way to go. An April 2018 study shows that less than 10% of companies expected to be fully compliant before the deadline, and only slightly over 50% at the deadline.[iii]
How do I maintain compliance?
One of the biggest barriers to achieving compliance is the sheer cost. The data safeguards often require a significant financial investment. Furthermore, with the pace of technological change, there is fear from many that even once compliance is initially achieved, ensuring on-going compliance will still prove challenging. This task is made even more challenging with the current shift to cloud technologies and decentralized network architecture that is occurring in almost all industries.
This change has represented a fundamental and structural shift in how organizations structure their infrastructure and data. More importantly, the speed of change on the cloud is almost beyond comprehension, and it is certainly beyond the capacity for human governance of the data! The reality is that given the scope of data, as well as the strict regulations, the only realistic way to ensure ongoing compliance is through automated governance. This represents the easiest, most cost-effective solution to achieving the myriad of data security needs that are required by GDPR. An automated solution is also the only way to maintain agility in an ever-changing digital landscape.
How can I implement an automated governance system that will alert me of changes that require action, before it’s too late?
An automated governance framework enables businesses to manage decentralized data and infrastructure components that would otherwise be nearly unmanageable. Current manual governance techniques are simply unable to keep pace with the rapid changes in data management and in the age of GDPR, this is unacceptable – or at the very least, incredibly costly.
With the shift to cloud-based resources and systems, individuals have played a smaller role in provisioning than they previously did with centralized, in-house infrastructure. Unfortunately, the large drawback with this model is that adherence to standards is often taken for granted, putting businesses at a huge risk. The future of data governance and compliance will lie with code-based management, which allows for far greater efficiency and innovation.
Based on Crosscode Panoptic’s extensive dependency graph, Crosscode’s Governance Operating System (GOeS™) provides an agile way to govern software as a code-based solution. The graph maps relationships in your runtime environment down to the code level and allows you to create custom rules that can provide alerts at that level. For example, you can create a rule like the following to keep informed of any new applications accessing the main Users table.
The adoption of GDPR regulations arose from the desire to handle data in a better way. Crosscode offers the best option for data governance that provides regulatory compliance, while still offering a cost-effective solution that is scalable to any business’s needs.
[iii] McDermott Will & Emery LLP. (2018). The Race to GDPR: A Study of Companies in the United States & Europe.