By Cassandra Balentine
Part two of two
The European Union (EU)’s General Data Protection Regulation (GDPR) is generating a lot of buzz. As data privacy is continuously in the spotlight, organizations are forced to consider how it obtains, manages, stores, and processes personal data entrusted to them by individuals that use their products and services.
Adam Prince, VP global product management, compliance and migration, Sage, says that more than anything, GDPR regulations set a precedent around the importance of personal information and the rights of individuals in relation to the treatment of their personal data. “Nearly every organization needs information to work. The GDPR makes sure individuals are top of mind, ensuring the integrity of personal data.”
In part one of this two-part series, we detail why each and every employee at organizations across all industries should take GDPR compliance seriously.
Data Management Considerations
Since GDPR affects the use, sharing, and processing of personal data, the way it is handled by an organization comes under scrutiny.
GDPR is a testing ground and will make individuals and data controllers more focused on how the privacy of data is being managed, comments Robert Cruz, senior director of information compliance, Actiance. Firms have taken notice by building data maps and doing vulnerability analyses of data flows within their companies and are increasingly focused on those topics within their service providers. “At the highest level, GDPR is causing firms to examine data governance practices and refining policies to make sure they can quickly identify and respond to questions that arise regarding to their data protection technologies, processes, and internal knowledge of GDPR.”
Dimitri Sirota, CEO, BigID, points out that companies tend to build architectures to meet the hardest regulations. “Just to reinforce this, elements of GDPR have been adopted in countries around the world and are likely to carry over into the U.S.”
Explicit consent of the individual to allow an organization to collect and keep personal data is central to compliant data management, so the relationship between companies and people will evolve, suggests Carole Winqwist, GDPR compliance officer and VP marketing, Bonitasoft. “Proof of obtaining clear consent will be included in audits, so brands will have to offer real value to keep people wanting to share their data.”
“Data management should become a centralized focus of organizations, especially those whose practices span across the globe. The GDPR is the first of many global data protection laws worldwide. As data becomes more prominent and valuable, privacy continues to become an even larger focus of consumers as well as regulators,” comments Greg Sparrow, SVP/GM, CompliancePoint.
While it depends on the individual organization, Todd Wright, global product marketing, data management, SAS, says regardless of your current level of data governance readiness, organizations will need to consider and adjust the way they handle consent management, the proper tagging and management of sensitive data, and how to best manage the right to be forgotten.
Specifically for software organizations, a strong focus on privacy by design during software development is crucial to anticipate impacts of their products on the privacy of their customers. “I believe the software sector should come together to develop a privacy development lifecycle, in parallel to a secure development lifecycle,” says Christoph Luykx, chief privacy strategy, CA Technologies.
To comply, Venkat Ramasamy, COO, CodeLathe, says companies will invest more defined processes in collecting, storing, handling, and archiving data. Many will have to redesign current processes to meet GDPR.
Theodore A. Miracco, CEO, SmartFlow Compliance Solutions, agrees, adding that GDPR will have a significant impact on the processes and procedures for handling data. “Privacy policies, for example, will need to be more detailed and frankly more honest in accurately reporting on how users’ data will be processed and for what purposes. Due to the complexity of today’s information technology, these procedures will impact the entire technology ecosystem so that all subcontractors, intermediaries, and third parties will have to be brought into the loop since the legislation is applicable to both data controllers and data processors. There is a shared collective responsibility for handling data properly, and organizations can no longer outsource the problem to a willing third party.”
Luykx says the GDPR will have a strong impact on data lifecycles as organizations will need to have a clear view of how data moves throughout their processes. “As the point of collection, making sure the right legal grounds are respected for collection with the right level of transparency will be crucial. Once data is within the organization, management of that data entails continuous data mapping, protection, and investment in tracking access rights. Finally, policies need to be created and respected with regards to data deletion.”
Craig Payne, security and privacy officer, Ayla Networks, Inc., says it is likely that the GDPR will force international organizations to review and upgrade their internal processes, internal company, and intra-company agreements. “The GDPR appears, to us, to set a new bar for privacy. It appears to me that many other governments—outside of the U.S.—are heading in a similar, if less extreme direction as the GDPR.”
Sparrow points out that it isn’t a one and done type of exercise. “Data management is an enormous task and organizations must routinely review and update their data inventory and data mapping to document all data processing that occurs and why it occurs. With the increasing pace of technological advances, the GDPR and likely future data protection laws as well as data management will become the center of attention for businesses, regulators, and the average consumer.”
“For most companies doing business globally, GDPR presents a significant challenge and will completely transform the way that they collect, process, store, share, and eventually wipe personal data. Complying with GDPR will likely entail upgrades to information and security infrastructure as well as changes to business policies. Companies will need to be more thoughtful about choosing the suppliers and partners they do business with, especially when it comes to cross-border data processing and transfer throughout the lifecycle of their products,” shares Jessica Zhou, general counsel, Ayla Networks, Inc.
Alex Gorelik, founder/CEO, Waterline Data, says typical data governance tools can tell you what kind of data should be considered sensitive, but the problem is they assume you already know where it resides. “There are other tools that can be deployed at the data security and storage level, and they’re very good at helping you lock down sensitive data. But these tools suffer from the same problem. They don’t tell you where GDPR-regulated data is located, where the data came from or where it’s going, or how to identify, report, and control new GDPR-regulated data is as it comes in.”
Richard Hogg, global GDPR evangelist, IBM, says businesses should consider six areas when preparing for GDPR compliance, data; privacy; protection; cloud; governance; and people, processes, and communication.
Jean-Michel Franco, senior product marketing director for governance products, Talend, says GDPR software and products should develop a metadata management system to track data, create a complete view of consumers through a data lake or master data management system, protect or mask data when it’s not appropriate for others to view it, prioritize data stewardship, and create data integration services.
It is a good idea for businesses to embrace the challenge of GDPR by looking beyond compliance and instead capitalizing on the opportunity to align it with a broader digital transformation strategy. “The heightened regulation will demand more when it comes to the processing of consumer data including greater responsibility, accountability, and evidence of privacy controls. For many, this means a rethink of their entire ethos towards data protection,” shares Shawn Rogers, senior director, analytic strategy, TIBCO.
Complying with any new regulation may bring additional work and expense, but Mark Woodhams, managing director, EMEA for Oracle NetSuite, encourages organizations to look at the positive, meaning it will give organizations an opportunity to improve the way they handle data and bring their processes up to speed for new digital ways of working. “We are living in a data-driven economy. Organizations need to give consumers the confidence to share data and engage with more online services. Following the requirements of GDPR can help in that regard.”
Paul Farrington, director, EMEA Solution Architect, CA Veracode, points out that many business leaders view regulations and compliance as obstacles, however they can actually serve as the foundation for a more strategic approach to cyber security that ultimately reduces risk and helps protect the bottom line. “The GDPR introduces new and more stringent requirements for data protection, including areas that have previously been viewed as some business leaders as nice to have rather than a core component of their data protection.
Ultimately, GDPR will serve as a catalyst globally for improving data protection and cyber security processes across the board. “While it has been cumbersome for many organizations to ready themselves to meet its requirements, its outcome of these improved defenses will protect us all as consumers,” says Farrington.
Software to Help
While there is no magic solution for GDPR compliance, there are several areas where technology supports GDPR compliance.
Woodhams suggests that implementing the right software products, services, and technology—with effective security controls—can help companies successfully address regulatory requirements, reduce risk, enhance overall security, and improve competitive advantage.
“Visibility is crucial on so many levels. In the first instance, it is important for organizations to understand where PII data is stored. Companies are required to notify authorities within 72 hours of a breach of PII, so it’s crucial that a business knows when a cyber attack impacts a certain area of their network, whether PII is impacted and if the attack needs to be reported,” says Farrington.
Luykx also believes software products and services are an essential part of the compliance triangle. Products can help with prevention and remediation, focusing on the entire data lifecycle from the point of collection to management to deletion. “Some examples include automating processes, software security tools, and tracking project resources.” He adds that instead of using real-life data for testing purposes, with the increased risk of personal data being mishandled, organizations could consider using a test data management solution that provides data masking or uses synthetic data.
In general, software will be used to record and manage consent, says Winqwist. More specifically, process-based applications can be deployed to automatically record consent, register all dates and systems that access data, process and record modifications and deletions, and produce reports showing all of this for compliance audit.
Software can help firms spot where personal information may exist within workflows and business processes, by helping automate policies to ensure that information being preserved is done so in accordance with GDPR, and by providing software and services to store data in a fashion that provides transparency on data usage as well as rapid search to respond to inquiries for potential GDPR violations, explains Cruz.
Sparrow says software products and services will be beneficial in helping organizations comply with the data subject access rights provided under the GDPR. “Under the regulation, data subjects have the right to access their data, rectify any incomplete or wrong data, have their data deleted, restrict processing of their data, object to processing, and object to automated processing. Each of these rights can be extremely complex, and organizations have a limited timeframe in which they are required to respond to these rights.”
One area that should be addressed is cyber security, and an investment in software that can detect and counter cyber threats, says Miracco.
Tools and Services
Many software and software service providers are going all in to help clients and prospects become GDPR compliant. Here, we highlight specific solutions.
Actiance products can impact electronic communications for potential instances of personal data through the use of lexicons, the ability to set granular retention policies so that regulated organizations can capture only the data that has a legitimate business purpose, and by providing a content store that enables fast search and retrieval of information along with the ability to delete private data if required.
Ayla products are designed to be compliant with the relevant parts of the GDPR, which its processing would impact. Required security features are embedded in device firmware, Ayla Cloud Services, and mobile applications. Controls over who can view personal information are implemented in the websites that its customers use to manage their fleet of sold devices. The company also offers three processing regions to minimize or possibly eliminate the Onward Transfer of personal information outside of the EU.
BigID provides software to help organizations find and manage personal data across their enterprise. The company provides automation to satisfy GDPR regulations around data subject rights, documenting data processing, consent tracking, breach response, and de-identification.
Bonitasoft’s Bonita process-based digital business platform is used to design and implement business processes in application form. The resulting Bonita applications manage all steps in those processes and through integration interact with the company’s other information systems and creates a traceable record document.
CA Technologies helps customers address GDPR requirements through its portfolio, which includes test data management, security, API management, automation, and mainframe solutions. These innovations enable organizations to confidently embark on their compliance journey to protect data in mainframe, distributed, cloud, and mobile environments. The CA Test Data Manager helps identify where sensitive data is stored enterprise wide and by using statistical analysis to find personal data stored across multiple file formats and applications. CA Data Content Discovery, which finds, classifies, and protects data, predefined policies to assist in identifying the information and helping to control and track the usage of users. The CA Identity Suite helps manage and govern user access to business applications and the underlying data.
The CA Veracode Application Security Platform offers a holistic, scalable way to manage security risk across an organization’s entire application portfolio. The company offers a range of security testing and threat mitigation techniques—all hosted on a central platform. CA Veracode’s various testing solutions, including CA Veracode Statistic Analysis, Dynamic Analysis, and Software Composition Analysis, address process requirements for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. The company’s Manual Penetration Testing offering helps users address the requirement for pseudonymisation of data. To meet the requirement to address data protection by design and default, CA Veracode Greenlight allows developers to create code security right from the first line within their integrated development environment.
CodeLathe provides a set of features that support organizations to meet GDPR. For user consent requirements, FileCloud offers a new privacy setting to get explicit user consent. Once enabled, CodeLathe asks for consent from users while accessing, viewing, or downloading files. Additionally, FileCloud allows an organization’s data protection officer (DPO) or an office administrator to search for user data across all file content and activity logs. With the new FileCloud update, administrators search for content across all users in the system. FileCloud also allows the export of files in standard formats and activity logs in easily readable files. To comply with the right to be forgotten, FileCloud offers tools to delete files and anonymization of any data companies possess relating to them, including activities logs. The program also offers special user accounts for compliance officers and auditors to review compliance.
CompliancePoint provides of information security and risk management services focused on privacy, data security, compliance, and vendor risk management. The company does this by providing a full suite of services across the entire lifecycle of risk management using its find, fix, and manage approach. CompliancePoint can help organizations prepare for GDPR with project initiation and buy in, strategic implementation, and ongoing program management and monitoring.
IBM offers a standard GDPR five-phase methodology and end-to-end GDPR solutions with clients and partners. The company is drinking its own champagne, consuming the same services and solutions for its internal readiness program. “IBM did their assessment almost two years ago for GDPR readiness. We determined we could not ring fence our data or operations, employees, or clients to just those within EU, so we chose to execute GDPR readiness as a global program,” says Hogg.
Oracle has an extensive value proposition to help address GDPR requirements that impact data inventory, risk awareness, application modification, and architectural integration. The company provides security services designed to help protect data, manage user identities, and monitor and audit IT environments.
Sage, in line with other responsible vendors, is adding new features and capabilities to its product to give users the tools they need to meet some of their own GDPR obligations and are working to actively educate customers and employees about the legislation and importance of personal data.
SAS offers SAS for Personal Data Protection, which helps customers through a five pillar approach to GDPR—access, identify, govern, protect, and audit.
SmartFlow provides a software development kit and compliance management system that protects application software from unauthorized use and software piracy. The software has a unique configurable data collection functionality that enables users to control how telemetry information is collected to ensure software intellectual property is used in accordance with the licensing provisions, but also that all collected data can be managed and protected in accordance with the GDPR.
Talend’s GDPR products center on the five pillars of GDPR, Talend Metadata Manager, Talend Big Data, Talend Data Quality, Talend Data Stewardship, and Talend Data Integration. Talend’s data fabric unifies GDPR compliance. Organizations can use the suite as a holistic approach or select a few tools.
TIBCO products deliver effective solutions for managing the processes and risks connected to GDPR compliance. For organizations that need to reduce complexity and get a 360-degree view on existing data in various systems and minimize costs, TIBCO Data Virtualization provides a solution. For companies leveraging machine learning and AI to automate decision-making under the guidelines of GDPR Article 22, TIBCO’s Spotfire Data Science and TIBCO Statistica delivers a model lifecycle management and collaboration to maintain control and audit ability over analytic models deployed throughout the organization.
The Waterline Metadata Discovery Platform creates virtual catalog of the enterprise’s entire data estate as new data pours in. The company’s GDPR application is a new product specifically built for the platform. It provides the DPO and data stewards with deep-level assistance in complying with GDPR and other regulations by automatically identifying regulated subject data along with its contextual use and lineage.
The GDPR is sure to shake up the technology space. Businesses are handling more data every day, and these regulations give some of the power back to the individual electing to share personal details with companies they trust.
Woodhams points out that compliance must be a team effort. “It is not something that can be achieved in or by one part of the organization. Addressing GDPR compliance requires a coordinated strategy involving different organizational entities including legal, human resources, marketing, security, and IT. The subject matter may involve information collected from various entities, as well as coordinated communications and technology used.”
It is essential that organizations of all types and sizes consider the implications of GDPR regulations and take steps to ensure data processes and policies are compliant—or at least on the path towards compliance. SW
May2018, Software Magazine