Is your application be it desktop or mobile GDPR ready? The question seems rhetorical especially since the act seems to be geared towards protecting the privacy of data subjects in any of the EU member states. On the face of it, the Act does appear to be more process oriented and towards making safeguarding the privacy of data subjects as a part of the BAU of any organization.
So, is there any relevance to the statement “Is your application GDPR compliant?” In these 2 years of the hype and cry towards GDPR compliance wherein most companies were literally sleeping on it for about 20 months of the 2 years and then walking about in a groggy fashion for the next 4 months hoping against hope that the deadline would get extended; what I have seen without much of an exception is organizations jostling for completing the data mapping exercise, the DPIA (Data Protection Impact Assessment) or worrying about the DPO (Data Protection Officer) function. Speaking to many clients on the subject of GDPR, it dawned on me one key aspect of GDPR which most companies have missed out on which is: GDPR Application Compliance.
Let me explain… let’s assume you are a Travels and Tourism company (you can replace this vertical with your company enterprise vertical and gauge) and you are storing the data of your clients. Since you are a large enterprise, needless to say, your data is locked up in your customized ERP system. Now, with GDPR coming into force, your client would like a download of his personal data on your systems (Article 20 – “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided…”). So, how do you go about it? In the traditional manner, you ask your database administrator to set up some “Select” queries and churn out the data from your databases… a time and resource intensive task for which you cannot even charge your client!
Now, imagine the state of affairs if a hundred of your clients ask for their data… most probably your Database administrator will quit his job. AND, this is just ONE of your obligations to the data subjects whose data you are storing. There are many, many more such obligations such as:
- Article 20 of GDPR also states that this data download or data portability should be provided in a commonly used format. This means you cannot get away by saying “My super customized system provides data in this proprietary format only, take it or leave it!”
- Storing exact records of how consent was provided by the data subject. This will be a massive pain especially since the data subject can vehemently deny that he ever provided consent.
- Ensuring that the data was stored in a sanitized manner.
- In case you are a processor, the data subject would not be able to contact you directly, but the controller can demand data of the data subjects in any ad-hoc combinations as per the requests they might receive.
- Data subjects may request to have their data deleted for a specific time period… imagine doing this manually using direct DB Access.
- Rec.39; Art.5 (1) (a) – “Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject”. This change imposes an additional compliance burden on organizations (albeit one that is implied under the Directive). It requires that organizations take additional care when designing and implementing data processing activities and in their applications. Remember, in case of any queries/complaint, you will have to prove that your processes and applications were adhering to this requirement.
- Rec.29, 71, 156; Art.5(1)(f), 24(1), 25(1)-(2), 28, 39, 32 “Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures”. This doesn’t just point at your BAU processes but also at the way your applications are storing, processing or transmitting private information.
- Rec.39; Art.5(1)(e) “Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” This applies to data in your live systems as well as in your backup tapes.
Now, these are just a few of the points that comes up from the top of my head… there are many, many norms which your organization would like to automate unless you intend to spend a lot of time in office including weekends doing the activities in a manual manner. If you are an organization selling customized software applications or even COTS (Commercial off the Shelf) products, tell me why any company would want to buy your applications or even want to continue using your applications if they may end up spending a humongous amount of time doing donkey work?
Your safest bet in case you are a software development company in case you wish to continue doing business in the EU is to ensure that your application platforms or software development norms are GDPR “friendly”. In case you are a company doing software development for captive usage, investing in ensuring your software is GDPR “compatible” will pay for it almost in the immediate future.
Over the past few months, we have guided many companies to get their applications GDPR “compatible” or “friendly”. Do let me know if you have any queries and would love to take it up. Happy Compliance!
Got comments? Did I miss something? Comment below…
Narendra S Sahoo is the Director at VISTA InfoSec. He is a PCI QSA, CISSP, CISA, CRISC, and ISO27001 certified LA. VISTA InfoSec is a PCI QSA company providing vendor neutral consulting services in the areas of Information Risk Compliance and Infrastructure Advisory Services.
For more information, mail me at Narendra@vistainfosec.com.
Visit us at http://www.vistainfosec.com
Follow us at https://twitter.com/vistainfosec