The European Union's General Data Protection Regulation is a broad set of rules delineating how personal data should be managed through its lifecycle.
The actual GDPR requirements are heavy reading, and applying them to real-world use cases is a challenge for any but experts in governance. The problem is that GDPR goes into effect in May 2018, and this creates a challenge for all involved.
The rules actually make a lot of sense in light of both government-level snooping and hacker attacks. Stemming from the belief that personal data is an important asset for an individual, GDPR sets out rules for storage, access and management for as long as a computing entity stores the data. Encryption is key, for instance, and GDPR also covers tracking who can access data, the location of copies and the rights of the subject to view and amend any personal data stored.
Get up to speed on GDPR requirements
IT vendors are stepping up to the plate in two ways. Many offer education and support on GDPR to their customers. White papers provide details, while infographics suggest basics such as "12 steps to GDPR compliance."
A deep dive into these charts, though, highlights a need for major changes in the customers' IT culture, most notably in data discipline. Consulting help is often needed, either by training a GDPR implementation manager as an internal consultant or by bringing in an outside specialist.
GDPR requirements apply equally to in-house operations and software-as-a-service providers, and companies are required to ensure their SaaS partners are compliant.
Organizations shouldn't take a bland assertion of compliance, but should do a governance audit of SaaS vendors. GDPR has teeth, in the form of substantial compensation for hacked data, for example.
Cloud service providers (CSPs) also carry a compliance burden, which is a change from older European Union regulations. Amazon Web Services (AWS), for example, has stepped up its game on the encryption of data at rest and supports tenant-owned keys explicitly. It also offers a tool, AWS Macie, which uses machine learning to classify data.
On the education side, there is a webpage dedicated to GDPR requirements, and Amazon has a team to educate and support customers in transition. The other major CSPs have similar efforts.
What needs to happen
Clearly, there is a lot of help out there to educate and plan a transition to compliance. Software, ultimately, has to change. Data records and files need to be treated differently if they contain personal data.
Among the needs are additional tracking for data copies, controls for lifecycle management and data subject access. The good news is that most European Union software vendors and customers have seen the light, though in-house code -- and especially any COBOL -- is lagging.
One problem is that GDPR is, in reality, a global initiative. If, for example, a U.S. business sells T-shirts to Germany, the personal data of the buyers must be protected under GDPR. This is an issue that cannot be ignored. There is a penalty of 4% of global annual revenue for deliberate noncompliance, as well as possible compensation.
The reality is that GDPR is, like the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act, an attempt to get businesses to do something that they've ignored until now, which is to actively protect customers' personal data. With the fixes in place in software and CSP services used in Europe, extending GDPR requirements to U.S. data is not a big step, and it would address a woeful deficiency in data security.
A comprehensive guide to GDPR obligations
Equifax breach should raise data protection questions
How GDPR could affect data backup platforms
See how the requirements for GDPR privacy impacts U.S. companies