In this piece Darran Rolls, CTO & CISO at SailPoint gives his views on Protecting your customers through privacy by design.
With GDPR set to be legally binding in just over a year’s time, the lack of preparedness in businesses worldwide is undeniable. At the recent Gartner IAM Summit in the UK, SailPoint found that only 25 per cent of the companies attending have an established plan in place to meet GDPR requirements.
In order to stay the right side of the GDPR line, many organisations will require a considerable shift in their thinking and in their IT business support systems. Whether it’s how to manage cloud storage or who to select for an outsourced data processing task, systems design and implementation staff must be aware of what’s required and how they might be effected when the rules do come into play.
Privacy by design
GDPR legislation specifically introduces the idea of “privacy by design.” This means that all new systems must be architected to ensure private and personal data compliance at the start and end of all business or service process. Embedding privacy early on in the systems design process ensures enterprises have a holistic view of what data they have, its availability, who can process it and who has access to it. This means governing access in a sustainable, consistent and auditable way.
The tensions between customers and organisations over personal and private data is only going to escalate with GDPR coming over the hill. Under the legislation, in order to meet compliance mandates, organisations must be able to show that they have adequate security measures in place. This means that data needs to be classified, categorised and protected by good access governance practices. To satisfy these demands, IT department must take privacy and the governance of access into account during the whole lifecycle of systems design, development and deployment.
Fortunately, privacy by design does not mean wholesale systems re-deign. Overlaying consistent sustainable Identity and data access governance is the remit of identity and access management. Providing a single point of visibility, control and governance across systems, enterprise-wide. is what we do at SailPoint.
The consent of the individual for use of their information has long been a cornerstone of privacy and data protection law around the world – which will only escalate under GDPR. Many changes and challenges will come to the surface under the new regulations. GDPR calls for very clear, prominent and explicit individual consent before storage, processing or sharing of personally identifiable information (PII). Under GDPR, PII means any information that can be used to identify the individual. This is quite broad and covers identification, location, genetic, biometric, economic, cultural and social data. In effect, the organisation holding pretty much anything relating to an individual signs a contract with that individual that gives them the right to know where their data is and who’s accessing, processing or changing it in any way.
Consent to store also comes with an obligation to support its withdrawal and removal. This right of withdrawal poses even more challenges. When you look at how complex chains of data processing, data storage and data sharing between providers exists in most complex IT ecosystems, taking consent and supporting the withdrawal of that consent poses significant challenges. This notion of consent absolutely puts the individual at the center, giving them the knowledge of who has access to their data, when it was accessed and what changes were made. The question remains: Do organisations today have the ability to honor that consent once it has been given?
Encryption, minimisation and redaction
GDPR is set to change the way we store and manage PII. The encryption of PII data at rest is set to become a mandate. Due to the security complexities and increased computational overhead that comes with encryption, organisations are being forced to look more closely at data, then minimising and redacting the information they collect. Basically don’t collect and store it unless you really need it. The complexity and cost that comes with the encryption of PII is forcing that change.
The challenge here is not just changing the way we store PII but also how we process it. When data is encrypted or redacted, this processing obligation follows the data as it is processed by the data owner and any provider included in its processing chain. The obligations and processing overhead that comes with these approaches flow with the data where ever it goes and must be tied back to the data owner that collected it.
Data breach or data loss?
GDPR is also changing the definition of what constitutes a data breach and how this must be communicated. Under the new rules, a breach is defined as the “destruction, loss, alteration, disclosure or unauthorised access” of PII. When a “breach” does occur – let’s say PII data is put on a USB drive and then lost at the mall, the data owner has 72 hours to notify the relevant Data Protection Agency (DPA). So maybe some batch data process goes wild and deletes a collection of PII records and there’s no backup – again 72 hours to notify the DPA. Or maybe during an access review, a manager realises that the wrong person has access to the wrong data – 72 hours to notify each of the individuals’ data that was exposed?
Although this may all seem like an onerous process, under GDPR, business owners are obliged to inform the individual and the DPA when these events occur. Organisations will need clear policies, defined procedures and provable controls if they are to avoid a hotline to the DPA and a consistent stream of notifications to all and sundry.
The reality is, privacy by design is no longer merely a desire but a legal mandate. In today’s complex data driven economy, it’s critical that any businesses subject to GDPR takes steps to understand how to implement the relevant controls and best to support its obligations. Identity governance plays a big part in getting ready for GDPR. By adopting consistent access administration practices, defined and sustainable controls and then delivering the ability to prove privacy be design, compliance with GDPR and the notion of privacy by design can be turned into a business benefit rather than compliance nightmare.
Visit SailPoint at Infosecurity Europe 2017, Stand: C45