GDPR 101: Core Requirements Overview & How GDPR Affects Your Business

Image by Pete Linforth from Pixabay

INTRODUCTION

I recently wrote about how GDPR is forcing the tech industry to rethink identity management & authentication. Soon after, it occurred to me that not everyone may be up to date with what GDPR means for their business. Although tech giants are already compliant — or at least trying to get there — many startups and small to mid-sized companies may still be struggling to figure out how GDPR affects them. If you are among them, this post is my attempt to describe and simplify GDPR and its requirements, so that they can become actionable items in your company’s/department’s to-do list.

Disclaimer: Although based on real-life industry experience, this post is my interpretation of the GDPR law and is solely intended to convey general information. It is not meant to provide legal advice or opinions. Each company must check with their own legal counsel for more information on how GDPR affects their particular business entity.

WHAT IS GDPR?

GDPR stands for General Data Protection Regulation. It is a European Union law that creates new rules for companies that offer goods and services to or that collect and analyze data tied to citizens of the European Union.

The new rules aim to:

1. Enhance personal privacy rights
2. Increase duty for protecting data
3. Mandate breach reporting
4. Allow for significant penalties for non-compliance

ROLES

To facilitate a clear path to compliance, a company needs to define clear roles within each product/service area it is offering. These roles will help determine how data is manipulated and acted upon throughout its lifetime in a system. At its core, the GDPR law could be thought of as having mandated three roles: the Data Subject, the Data Controller, and the Data Processor. For every product or service, you would need to identify which “parts” of your business are fulfilling each one of these roles. Once identified, they will be easy to address and improve on accordingly.

1. Data Subject — an identified or identifiable natural person
2. Data Controller — people and/or systems that determine the purpose behind personal data processing
3. Data Processor — people and/or systems that controllers have tasked with processing activities

In the context of a company, the data subject is usually the end-user. Users interact with services on sites or apps. They are either being pixeled and tracked and/or are providing their personal identifiable information directly to you.

The data controller is a two-fold concept. On one side, it includes the part of a product that is physically storing the collected data. This can be in a database on the cloud or on-premise or even physical files like folders, hard drives, papers, etc. For savvy companies, this role is usually fulfilled by another product, such as CRM, CMS, AMS, LMS, etc. On the other side, the people curating this central information repository are also part of the equation — they are the data controllers for the company.

The data processor could be many things, but in general it is the people and systems that are processing the collected data for business intelligence, reporting, integrations, APIs, etc. These activities could either be done in-house or outsourced to implementation partners. Regardless, the data being processed is provided by your data controller, so whoever is tasked with processing the data must comply with your company’s rules.

To help clarify these three key roles further, I put together a sample list of the rights and responsibilities associated with each one of them. Each item in this list should be taken into consideration and implemented as needed within your own products/services.

Disclaimer: This list is meant as a starting point and is certainly not comprehensive. Each company must define their own roles and sub-roles and the rights for each of them to better fit their unique use case and business model.

Rights/Activities/Responsibilities

Data Subject

• The right to provide consent
• The right to withdraw consent
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• Rights in relation to automated decision making and profiling

Data Controller

• Manage end-user notification, consent, and withdrawal of consent
• Decide what data gets exposed to processors
• Decide what connections (where end-user data and passwords reside) to use
• Sign up and, if necessary, create new users
• Ensure users meet the age requirements and obtain the appropriate consent if necessary (such as parental consent for children)
• Implement the mechanisms necessary for the end-users to retrieve, review, correct, or remove personal data
• Delete user data after receiving right-to-be-forgotten requests
• Provide data in standardized formats
• Respond to end-users’ privacy-related requests (DSAR)
• Respond to communications from the European Union Data Privacy Authorities
• Send data breach notifications to supervisory authorities and end-users
• Select an EU tenant when setting up their tenants

Data Processor

• Notify the data controller if end-users are exercising their GDPR rights to access, delete, or anonymize their data
• Notify the data controller of requests from EU Data Privacy Authorities (unless prohibited by law enforcement)
• Notify the data controller if it becomes aware of a confirmed security breach
• Provide information on company policies and practices through a privacy policy, terms of service, security statement, data protection agreement, etc.
• Define its services and features, how data is processed, and the rights and obligations of customers
• Provide the means to enable customers to retrieve, review, correct, or delete customer data
• Provide a mechanism for customers to display consent terms and a consent agreement

NOW WHAT?

Now that the key roles which must be in place for a company to become GDPR-compliant have been clearly defined, let’s look at actions/activities that companies should take in preparation for compliance. For larger organizations, creating an actionable list of activities might be quite an undertaking, but it is necessary and will ultimately make your products better prepared if Congress passes a similar law to GDPR in the States.

The five core activities include:

1. Discover — identify what personal data you have, where it resides, and how it gets communicated to other entities.
2. Manage — identify the SOPs that govern how personal identifiable user data is used and accessed within your organization.
3. Protect — establish security controls to prevent, detect, and respond to vulnerabilities and data breaches. Encrypt and take security measures and anonymize data whenever possible or upon request.
4. Report — proper reporting involves both transparency and creating and retaining records of all activities regarding personal data.
5. Act — identify different roles that can take a particular set of actions on your data.

If you are utilizing AWS or Azure as your cloud provider, the below should help you get started with some activities you’ll have to undertake. Most cloud providers offer some sort of functionality out of the box that, once enabled, should get you halfway to compliance. Some you will have to implement within your service architecture.

• Transparent Data Encryption — always encrypt data! This should be done at rest as well as when being utilized in real time.
• Implement row-level security.
• Dynamic Data Masking — this is usually done for social security numbers and credit cards but should be done for other personal data fields as well.
• SQL Database Threat Detection — your cloud service provider should have something you can use to have active threat-detection resources available at all times. You can alternatively utilize your security team.
• SQL Server Audit and Auditing for AWS/Azure Database — it goes without saying, you should always be auditing any database you utilize. The larger the database, the more frequent the audits should be.

TOOLS & RESOURCES

If you’re looking for more information on GDPR, I recommend the following links:

• https://ec.europa.eu/info/law/law-topic/data-protection_en
• https://www.microsoft.com/en-us/trust-center/product-overview
• https://aws.amazon.com/compliance/gdpr-center/

For cloud customers, you may refer to the following GDPR compliance tools available to you:

• Service Trust Portal — provides GDPR information resources, but it also can be used to take actions on stored data
• Security and Compliance Center — Office365 Admin Center is another portal for taking actions
• Office 365 Advanced Data Governance — for classifying data
• Azure Information Protection — for tracking and revoking documents
• Compliance Manager — for tracking regulatory compliance
• Azure Active Directory Terms of Use — for obtaining user-informed consent