Consultingwerk Blog

European General Data Protection Regulation

by Kristina Rümmler | Jun 28, 2018

In some way, shape or form, the new European General Data Protection Regulation (GDPR) affects the vast majority of businesses across the world. There is no getting away from it. But even though the date for enforcement – 25 May 2018 – has past, a lot of businesses still don’t have a solid strategy in place. So, what is it, who does it affect, and what should I be doing about it? I will attempt to answer all these and more in this blog.

This is not legal advice, and should not be seen as such. It is an expose of some of the issues surrounding the legislation and an overview of how some of the OpenEdge products might be leveraged to help your business become GDPR compliant. Consultingwerk is a technology consulting organization – not a law firm.


What is GDPR?

GDPR is new legislation brought in across the EU member states. It is an attempt to bring the legislation of the 1998 Data Protection Act into the 21st Century. 20 years ago the way data was collected was completely different to today. Whilst there were many computers in homes, mobile devices were much fewer in number, and a lot less connected. Today almost every EU individual has multiple connected devices.

The result of this device explosion is that vast amounts of data is collected about every user, and the vast majority of it is irrelevant to the running of the business who controls that data. Why does Google really need to know what sort of Pizza I like, or how much weight I’ve gained or lost in recent months? Add to the device explosion the fact that people will have connected devices on their person even 24 hours a day, and you see that people can be marketed to at any point, and doing almost any activity.

The GDPR legislation aims to protect the personal data of all EU citizens by restricting the way the data is stored and used by controllers and processors of data, and by giving the individual greater control over their own data. It also restricts organizations from storing data that is not relevant to the relationship they have with an individual.


Who does it affect?

The GDPR legislation affects the data of all EU Citizens. As a result, the location of the company holding the data is irrelevant. It applies to the individual to whom the data applies. Small companies are not exempt from the regulation. The only exemptions apply on the basis of the level of risk the data held poses. To see if you are exempt, then please talk to your legal representation or a privacy professional.

If you conduct business within the EU, or you collect, process and/or store personal data of EU citizens, you should assess your potential risk of not adhering to GDPR requirements.


What are the requirements?

Individuals have the right to access all their personal data held on file in a company’s systems. The data must be provided without undue delay in a machine-readable format. Additionally, they have the right to request that their data be amended or even erased from all copies.

A note to database designers who are having nightmares about their referential integrity: erasure does not mean you have to remove the record, breaking referential integrity. It is sufficient to anonymize the record to remove all personal data, but keeping the data integrity intact.

Data Controllers are obligated to provide Privacy by Design, and Privacy by Default. It is no longer acceptable, for example, to automatically opt people in to marketing. Some organisations are required to provide Data Protection Impact Assessments – your legal professional will be able to advise you if you need one or not. Another requirement is to be able to provide a record of processing activities under the controller’s control. And any breaches of data must, in most cases, be reported to the relevant authorities within 72 hours of becoming aware of the breach.

Data processors must process the data within the guidelines set out by the data controller. They must also ensure that appropriate technical and organizational measures are in place to ensure the security is appropriate to the level of risk of the data they are processing.


What can I do about it?

In terms of your organisation, there are many things you can do to prepare. This advice is beyond the scope of what this post can manage. Reach out to your lawyer or privacy professional. In terms of your OpenEdge application, there are technologies within the product that you can leverage to assist you in your quest for GDPR compliance.

  • Progress Application Server for OpenEdge (PASOE)
    Industry standard security and authentication via Tomcat and Spring Security. The security of PASOE is great improved compared to that of the classic AppServer and transferring your current Application Server use to PASOE is not difficult.
  • OpenEdge Transparent Data Encryption (TDE)
    Protects data in all or part of your database while it is at rest. Database extents, binary and ASCII dumps, etc are no longer human readable. If someone steals your database they cannot unencrypt it without the key. It is also implementable without any changes to your application itself as the encryption/unencryption is managed by the database engine. In addition this can be used to show auditors that sufficient action has been taken to secure data.
  • OpenEdge Authentication Gateway (OEAUTH)
    Provides a single point of authorization for all clients and access points to your data. Without a valid Client Principal no process may access any data within the database.
  • OpenEdge 11.7
    If you haven’t already upgraded to 11.7 then now is a good time to do so. Included in the box are various security updates, including an upgrade to OpenSSL. With 11.7 you have access to the most current standards for TLS, SSL and SNI.
  • OpenEdge Change Data Capture (CDC)
    Tracks changes to personal data across the database. Also if this is used to populate data warehouses etc, can be easily used to propagate changes in the master OpenEdge database to all other systems.
  • OpenEdge Multi Tenancy
    If you store data for multiple organisations in the same database, you need to be able to ensure that users from Customer A cannot see the data for Customer B. Multi Tenancy allows you partition the data based on the Tenant who owns the data and thus making it secure. The database structure is shared between customers but the data is ringfenced.

If you need advice, training, or suggestions on how to implement any of the above features in your system, please contact us where we will gladly discuss your options and concerns with you.


Conclusions

GDPR will affect your business in some way. It is quite a complex law, and only time will tell how it will actually be applied. At the moment there are many different interpretations of how to apply the regulations. So, it’s important to assess your compliance now, and to continue to do so as the law becomes bedded in. A large amount of it is common sense, but if you have concerns or questions about the law, then please reach out to your lawyer sooner rather than later.


Further Reading

 

For more information, contact us! For more information, contact us!