The General Data Protection Regulation [(GDPR) Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April 2016] applies to all European Union member states. It replaces the Data Protection Directive 95/46/EC (the 1995 Data Directive). GDPR applies to wide range of organisations that control or process EU residents’ data. This also includes organizations that aren’t a part of the EU.
This article focuses on technical issues in the GDPR. In Article 5(2), 25(1), 28 30 and 32, the General Data Protection Regulation (GDPR) directs companies that hold, share and process EU residents data to:
- Demonstrate that IT and Systems are compliant.
- Define appropriate technical and organisational measures that data holders must take to protect data.
- Secure IT systems and networks that resist, at a given level of confidence, accidental events or unlawful or malicious actions.
Further, Article 33 and 34 discusses evaluation, documentation and notification of a breach.
This means that organizations should do their best to avoid any incidents that compromise the availability, authenticity, integrity and confidentially of stored or transmitted personal data. Organizations that have complex networks can quickly evaluate and build a risk profile of their IT systems and network. A company may have deployed new systems or may want to keep track of compliance of old systems; as with all the organizations with ever-expanding complex networks, they can quickly go out of compliance.
They can deploy an automated tool to check the compliance of their systems and reduce their system risk. This can be incorporated into change management. This way they can quickly analyze their risk profile of their systems and network by continuous scanning, assessing and remediating. Vulnerabilities can be patched or be mitigated as soon as they are found or systems can be corrected if found out of compliance.
There is no need to re-invent the wheel. CIS and ISO provide useful guidelines on best practices for compliance and vulnerability remediation. GDPR does not articulate a precise prescription for the technology that must be used to secure the data. GDPR takes a risk-based approach to requiring technical measures. Higher risk means more expense and effort to secure data. The main issue is whether data is at risk and which practices and technologies will effectively reduce those risks.
GDPR requires organizations to disclose a data breach. This may be the regulation’s single most compelling provision. After all, an organization can face fines of up to €20 million, or 4 percent of its annual revenue.
A data breach can generate a chain reaction of expensive legal fees, political blowback and invasive news media investigations into the organization’s data security practices. An organisation whose business is based on managing personal data would need to find innovative solutions to avoid any associated penalties.
- Data responsibility: Under the regulation, any data “by which the individual can be identified” is to be protected, and this responsibility falls on any organisation that deals with this data whether they are primary data collectors or third parties that get the data from other organisations. In the instance of a data breach, all organisations in this relationship might have a potential liability depending upon the nature of the breach.
- User request right: Under the regulation, individual users have the right to ask an organisation to provide them with all the data they hold about the individual that might enable the organisation to identify the user.
- User consent: Under the regulation, a user should be given clear information about how the data collected from them will be used. The information has to be concise and clearly understandable by the user for the consent to be considered valid.
Managing the above three aspects in IoT and Cyber-Physical Systems (CPS) would be challenging and also opens upon new avenues for data management and privacy practices from a technology point of view.
Another impact of the GDPR is on the emerging technologies like the use of block-chains to provide strong data integrity protections and potential automatic data auditability, a technological innovation which might be useful for the data architectures of the future. Usually, block-chains are the core of all crypto-currencies and fundamental to provide the anonymity and fraud-prevention.
However, under the GDPR’s requirement of “right to be forgotten,” a user can request a company to remove all data related to the user from their environment. This would also require removal of any information stored on the blockchain that might be useful to identify the individuals. This requires a rethinking of the usage of blockchain technology in this context.
As technology practitioners, our role is to provide innovative solutions that facilitate the organisations meet their business objectives and meet the regulations associated with the business functions. With the GDPR getting into effect, organisations would require solutions to make them meet the regulation’s requirements.
It is our challenge, and as technologists, we are confident that these requirements can be met with minimum interruption to the business functions of an organisation.