1 Executive Summary and Highlights
The EU GDPR (General Data Protection Regulation), which becomes effective on May 25th, 2018, will affect organizations worldwide that hold or process personal data relating to people resident in the European Union. The definition of both personal data and processing under GDPR are very broad, and processing is only considered to be lawful if it meets a set of strict criteria. GDPR also gives the data subjects extended rights to access, correct and erase their personal data, as well as to withdraw consent to its use. The sanctions for non-compliance are very severe with penalties of up to 4% of annual worldwide turnover. Critically, the organization that collects the personal data, called the Data Controller, is responsible for both implementing and demonstrating compliance.
KuppingerCole has identified six immediate actions that organizations holding personal data need to take to ensure compliance with this regulation when it comes into force; these are:
- discover the personal data held;
- implement controls on how this data is processed;
- ensure processing meets data subjects’ rights;
- assure that outsourced processing is compliant;
- update and test the processes for managing a data breach to include the new requirements for notification;
- implement data protection by design and default.
While most organizations will be aware of where personal data is used as part of their normal business operations, many use this data indirectly, for example as part of test and development activities. Because of the wide definition of processing given in GDPR, this use is also covered by the regulation. The Data Controller is responsible to demonstrate that this use of personal data is fair and lawful. If this can be shown, then the Data Controller will also need to be able to show that this processing complies with all the other data protection requirements.
However, organizations can avoid these risks and costs by using data masking techniques to remove personal data where it is not needed for business purposes. GDPR accepts the use of pseudonymisation as an approach to data protection by design and default. In addition, the Data Controller can take account of the existence of appropriate safeguards, which may include encryption or pseudonymisation, when considering processing the data for purposes other than that for which it was collected. However, there is still an element of risk relating to the reversibility of this form of protection. The Data Controller must manage this risk by the appropriate choice of tools.
The Delphix Dynamic Data Platform enables organizations to discover, manage and secure personal data used for non-production purposes in a way that complies with GDPR. Its data discovery service can identify sensitive data, that comes within the scope of GDPR, held in a wide variety of data sources. It provides governance and control over the distribution of non-production data allowing where it is used to be managed. It can anonymize personal data in a way that removes the data from the scope of GDPR while still retaining the relationships that make it useful for development and testing.
In summary, the Delphix Dynamic Data Platform, where correctly used, can help organizations to reduce the costs and risks associated with the use of personal data for non-production purposes when GDPR comes into force.