GDPR Compliance for DevOps: Data Privacy and Information Protection
What information does your company collect on individuals? How do you collect, share, manage and destroy private information? This is not a minor consideration, as penalties for non-compliance under the new EU General Data Protection Regulation are considerable. If you do business with Europeans, your business needs to develop and implement proper data privacy handling procedures by May 25, 2018.
As that’s less than a year away and fines are up to four percent of annual global turnover, procedures for compliance should be well on their way, or at least an action plan. Unfortunately, that isn’t the case as a recent security survey notes only 15.7% of UK and US companies are in advanced stages of planning and 24% of organizations will not meet the deadline. Many companies will just give up on doing business in Europe; 14.2% in the same survey say the will divest their European operations.
While new procedures are sometimes daunting and require additional resources, effective data privacy handling processes makes sense both from a compliance point of view and respecting the needs of your consumers. Non-compliance is not an option and leaving a huge market doesn’t seem like a good strategy. Rather, start taking the steps now that will protect your customers and your company.
The first step to effective GDPR Compliance is to determine how you are currently using EU personal data. How is data entering your system? What type of information? What disclosures do you provide to the consumer? What information do you share with third-parties, or what information do they share with you?
You might use, or create, a data flow diagram (DFD) to map all the data and how it goes through your systems. From this high-level overview, you can discover data uses that no longer fit your current uses, or require modification, saving you unnecessary tasks later on.
Data Lifecycle Management (DLM)
Once you understand your current data use patterns, take the strategic step of analyzing your policies and procedures. Create an effective DLM plan that manages all stages of data use: creating, storing, using, sharing, archiving and destroying.
Each step of the DLM requires specific strategies of acceptable data use. For example, what data is acceptable being put on storage, or to archive? Who can use that data? When will the data be destroyed?
Strongly consider anonymization and de-identification of personal data, as there are specific GDPR exceptions that make compliance easier. Anonymization and de-identification are techniques that strip out identifiable information from data, allowing the data to be used for other purposes with less risk of running afoul of GDPR and other data laws.
The more complex the data use, the more convoluted the strategy becomes. There are different demands on data use by various stakeholders, as well as changing, often contradictory, regulations that oversee it. Creating an effective strategy is not simply about meeting requirements for passing the rules in May, 2018, but having a long-term viable strategy that is adaptable.
Banks, especially, are having difficulties creating strategies that comply with GDPR, MiFID II and PSD2. PSD2 calls for sharing of data with third-parties, to create a more open banking system. MiFID II requires retaining all transaction related communications for up to five years. As research firm Oliver Wyman states in their GDPR white paper, Future Proofing Privacy, “for the first time, sensitive, private, and personally identifiable information will be exchanged outside of the traditional payments system, requiring a fundamental rethink of the infrastructure and governance that needs to be in place.”
While the strategic considerations are hefty, there is a bright side to all this; new tools from RegTech providers that automate many of the necessary tasks. Automation works best on rote, predictable jobs and can quickly note errors, edge-cases and other stumbling blocks in a process. As Kristian Nelson writes in a DevOps article, The Automation of Compliance, “Any process problems or weaknesses in your governance model become apparent quickly and can be fixed quickly.”
That is to say, the process of creating automation creates a system of compliance . The tasks you perform, the resources you use, the testing you use, the oversight you employ; these are the steps that create a scalable, predictable, usable compliance system.
Automation also improves compliance staff productivity. By taking rote, boring manual tasks away from staff, they can focus their talents on strategy, complex cases and other tasks which require critical thinking.
There are other savings that automation can bring, most notably reducing the risk of fines and penalties for non-compliance. While automation, by itself, can’t guarantee compliance, a systematic approach is more likely to withstand the rigors of changing regulatory requirements.
Automation also provides a simple, straight-forward way to track records. Through proper record-keeping, compliance can keep an eye on the process and flag issues early on. In case of an audit, those records can easily be communicated to regulators, making the process less cumbersome.
Record-tracking need not be limited to compliance. With proper automation in place, organizational-wide access to read-only records can provide transparency to the entire compliance process. The entire organization are stakeholders in compliance, not just a sign-off from an officer. If staff feel they have input into compliance and buy in, the organization will be well on its way to a compliance culture.
GDPR requirements are the state-of-the-art when it comes to data privacy and information protection; creating compliance processes that meet these high standards will serve your organization in multiple ways. You have one compliance system for your entire organization. When laws in other jurisdictions catch up to European standards, you’ll be ready. Your customers, partners and investors will know that your company is protecting its operations and those that it does business with.
Rather than a burden, GDPR compliance is an opportunity for DevOps; they can help create a culture that responds faster to change, has better staff morale, improves productivity, and saves money. Beyond doing good work for the company, they’ll also be protecting consumer’s private information, serving the greater good.