This white paper summarizes how WhereScape® automation software can help your organization deliver key requirements of the General Data Protection Regulation (GDPR). It lays out the key new requirements that GDPR will demand from your business, and describes how WhereScape products can help you ensure they are met to avoid costly penalties. Once the GDPR comes into force on May 25, 2018, there will be a two-tiered sanction system with lesser incidents subject to a maximum fine of either €10 million (£7.9 million) or two percent of an organization’s global turnover (whichever is greater).
The European Union (EU) introduced its data protection standard through the Data Protection Directive 95/46/EC in 1995. The directive allowed Member States a lot of flexibility when implementing into national law, and the EU ended up with many different laws. Since 1995, increased numbers of data security breaches, rapid technological developments, and increased globalization have brought new challenges for the protection of personal data. To address this, the EU developed GDPR in May 2016 to come into effect on May 25th, 2018. This applies to all companies, no matter where their operations are based, that are doing business with EU citizens and replaces the previous regulation. The UK Government has announced that the regulation will be adopted by the UK, irrespective of Brexit.
The regulation applies to all living EU individuals’ identifiable personal data, regardless of where it is sent, processed or stored. The regulation states that the protection of personal data is one of the “fundamental rights... of natural persons.”
GDPR was essentially created to stop the misuse of personal data in intrusive, unwanted and/or unapproved marketing activities. After the ruling comes into play, companies will be required to prove that any data they are holding on anyone is necessary to the running of their business.
To ensure GDPR compliance, your organization will need to perform activities that fall into the following categories:
WhereScape 3D is designed to help you easily explore and understand your existing data assets. It is a comprehensive discovery and design tool that is ideal for the early planning stages of your GDPR approach and the ongoing tracking of data across your organization.
WhereScape 3D will enable your organization to identify the scope of your GDPR problem and identify where personal data relating to GDPR resides, providing valuable input to your GDPR roadmap.
WhereScape RED is designed for developing, deploying and operating data warehouse and big data solutions. Agnostic of the underlying platform, WhereScape RED’s automation capabilities can deliver your GDPR-compliant data infrastructure projects faster.
Within every organization, different and disparate data streams make it tough to create an easily auditable view of the data. WhereScape enables you to aggregate that data in one centralized location, and categorize and tag all the data types your company collects. You can then evaluate and explain, if asked, how each type is vital to your business or delete information that is not GDPR compliant before it results in a financial penalty.
This white paper explains how WhereScape’s data automation technology enables you to be proactive by using WhereScape 3D to discover all data and tag certain defined elements such as captures that contravene GDPR requirements. It also allows both new and existing customers to be reactive, by looking back through the full data lineage WhereScape creates, pulling together various strands of information to build a profile of a certain customer on request.
WhereScape discovers and catalogs all existing data, flagging any item that is relevant for GDPR consideration. This means you can quickly identify and extract GDPR sensitive data to a centralized location for further analysis, adjustment and reporting to comply with GDPR.
WhereScape RED will then enable you to extract the data through to a repository from where you can perform critical data analysis, provision the data to data subjects upon request, and measure the success of fixing your data to become GDPR compliant.
A key requirement of GDPR will be your ability to locate, aggregate, extract and/or delete personal data on any subject on request. You will also be expected to rectify inaccurate data if required, and/or supply it in a clear and portable report for extraction. Any of these demands must be completed within a month of the original request.
The processing of data regarding racial/ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, or data concerning health, sex life or sexual orientation shall be prohibited.
This means you must know what data you have, where it is stored, and ensure it’s in a format that can be accessed quickly. It also means being able to easily adjust, delete or extract the affected data, which might be spread across multiple sources, as required for compliance with GDPR after June 2018. Where data is provided from a third party rather than direct from the data subject, you must provide details of who supplied it.
Defining the scope and scale of your existing problem early will provide critical information for your GDPR roadmap. Leaving this to the last minute may reveal a problem the scale of which cannot be resolved before GDPR comes into play, leaving you open to heavy fines if discovered. You will also need to monitor the impact of becoming GDPR compliant on other systems.
Identification
WhereScape 3D can quickly discover, explore, and profile sources for personal data from any source. It is fully source agnostic, analyzing both enterprise and big data sources. Existing data warehouses can be automatically and retrospectively discovered, profiled and documented once you connect them with WhereScape 3D. The sources can be rapidly assessed, with automatic generation of full documentation. This is particularly critical if your documentation is out of date or incomplete, as such defects can be flagged for your rectification.
Rectification
WhereScape 3D enables you to analyze source data, providing visibility at the table and column level, identifying and tagging those fields that contain relevant personal data. In cases where the field names are not obvious or there are fields whose purpose is not understood, inspection and rectification is essential for GDPR compliance. WhereScape 3D can help you assess the impact of changes in source systems throughout your data lifecycle, enabling you to identify the impact of making changes as you become GDPR compliant.
Extraction
WhereScape RED will ensure you have the data in a readily accessible environment to service the request. Extracting the data from the data structure for presenting to the data subject can be done with readily available tools and interfaces in a standard database environment.
Data must be collected for specified, explicit and legitimate purposes. It should be relevant and limited to the precise reason for which it is collected. The data must be processed legally, fairly and with transparency. It must not be processed in an automated manner that profiles the subject, which produces legal effects concerning them or similarly significantly affects him or her.
This is about the minimization of data collected. In the past, small amounts of data collected for relevant business purposes have been used to create a profile based on corresponding assumptions. This algorithm can build a personality type, to a surprisingly high degree of accuracy, that can be marketed to accordingly for purposes that sit outside the reasons the original data was collected.
After GDPR comes into play, you will no longer be able to claim ignorance of the automated processes and algorithms employed to process data. Automation has matured, and you must be fully aware of what is being done with specific data strands within your organization that form part of automated processes. In short, a full audit trail is essential, and collected nuggets of data collected with permission must be kept in isolation, not to form a basis from which to build profiles of their subjects.
As well as helping you to use automated processes to better control how data is gathered and manipulated in the future, WhereScape can alert you to the potential non-compliant GDPR data you currently have and should address to avoid penalties.
The first step is to use WhereScape 3D to discover exactly which data streams are being fed into automated workflows, and to decide whether you can justify (a) why this data is processed in the first place, and (b) what actions you are then taking on it. For instance, is it being sold to third parties? Is it being used to form the basis of a profile from which you can assume facts or data that haven’t been specifically collected, proven to be true, or given with permission? Both could incur heavy penalties under GDPR rulings.
Label Data Sources
An internal audit in this way can help you label and profile all data sources, where they come from and how they are being used. Being able to justify why you collect each data flow, and show that any automated flows it is used in doesn’t distort or change its purpose for initial storage will help you organization to answer any GDPR related inquiries.
User access must be controlled, monitoring must be performed, and alerts provided for breaches and encryption used where appropriate.
You must know who is able to access your data and what they are doing with it. Ignorance is no longer an excuse! It is up to you to control access to and encrypt all data your company holds. If you make the necessary security precautions but your data is still accessed illegally, you must have precautions in place that will alert you of this immediately so you can prove you are aware and acting upon the breach in good time.
Most data these days is on-premises and cloud storage of course, but this section of the regulations also applies to portable data sources such as memory sticks, CDs and access to laptops. Think of the various times when the news has reported laptops containing sensitive information left in the back of taxis!
While human error often cannot be accounted for, the company responsible for the collection and ownership of the data must have a security strategy in place to protect data wherever possible, and ensure these precautions are clearly communicated to staff. For instance, a work laptop password must be changed every month etc.
Identify Relevant Data and Systems
WhereScape 3D can help by performing a retrospective audit to ensure uniform, rigorous measures are in place to protect data and avoid future fines.
Build Secure Data Ecosystems
WhereScape RED can rapidly build data marts and warehouses that comply with the security demands of GDPR. Automated code generation to strict best practices ensures data structures are secure, with controlled user access and alerts in case a breach should occur.