GDPR From a Technical Perspective

What is GDPR?

GDPR is a regulation designed to protect the privacy of individuals and give them control over how their personal data is processed, including how it is collected, stored and used. It applies for personal data generated by people in the EU. However, every company in the world that processes such data is affected by this law. To put it simply: if you keep personal data of any kind, GDPR rules likely affect you.[[1]](https://eugdpr.org/the-regulation/gdpr-faqs/).

What does this mean in practice?

GDPR includes a wide range of rules around the core tenet that all collected personal data should be kept safe and should be used solely for the purposes for which it was initially collected. The regulation also gives users the right to have access to and request deletion of any data you possess about them. This can sometimes be challenging, as organisations often don’t have a centrally automated way of accessing all data storage that could potentially contain personal data.

For example, many organisations have multiple applications which were delivered at different times, using different technologies. This often means that they don’t share data with each other. If a user asks the company for access to, or deletion of, their personal data then this would require finding all of that users information from each individual applications data storage.

Companies should have assigned Data Protection Officers (DPO) in their organisations for handling or overseeing these kinds of tasks. This can be any employee in organisation that knows enough about GDPR compliance, along with how to get to the data. If the company was to receive a request from a regulatory authority, or any end user, in relation to GDPR, the assigned DPO would need to be able to provide access to or delete all related personal information. Would the DPO in your organisation be able to do this in a reasonable timeframe? If not, it could lead to a breach of GDPR.

What are the consequences of a GDPR breach?

GDPR carries a hefty non compliance fine along with its demanding requirements. To the extent that even large organisations could face significant financial issues from a breach. To quote itgovernance.eu:

‘There are two tiers of administrative fines that can be levied as penalties for non-compliance:

Up to €10 million, or 2% annual global turnover – whichever is higher.
Up to €20 million, or 4% annual global turnover – whichever is higher.’

[[2]]https://www.itgovernance.eu/en-ie/dpa-and-gdpr-penalties-ie

Due to both the fixed cost and percentage of turnover based fines, both small and large organisations need to take these regulations very seriously. Avoiding a breach of GDPR should be a high priority goal for any business which handles personal data.

How can I avoid breaching GDPR?

If the organisation has an assigned DPO and they do not have the ability to access all data in the organisation, they would need help from a person with technical skills who understands how to access the data. In a well structured organisation, that would mean receiving support from the application owners that actually use and store this data. If the organisation could afford data virtualisation tools (for example, Denodo), then implementing such a solution should be considered in order to centrally locate all relevant data. If this is not possible for the organisation, then a universal central tool or simply a scripted business automation service could be developed to handle infrastructure and data inventory.

What if I don’t know what data I have or where it’s all located?

Quite often, particularly in large organisations, there is no central data store and data is scattered all over the organisation. As mentioned above, data virtualisation strategies could be considered to improve this. Implementation of data virtualisation tools would generally include inventory review, as the requirements of implementing a data visualisation tool synergise well with gathering the knowledge required for a a centralised inventory view. This is an industry best practice for getting control over your data.

However, this would only resolve problems if you know where all your data stores are located, as they must be integrated with your data virtualisation tool. Often, within a large infrastructure, there are “ghost” servers and databases that are not documented and have been set up by people who have left the organisation, leading to a complete lack of knowledge on how to handle these servers. In cases such as this, a customised technical solution could be developed that would search your infrastructure and track when and where data is pulled. These kinds of technical investigations often find old servers which are assumed to be important and cause significant issues in relation to maintenance, patching and resource usage, but are no longer necessary for the current infrastructure. Decomissioning these servers can lead to significant improvements in efficiency.

I’m aware of all my data and where it’s located. Can I use it?

When an organisation collects data on a European user, the user should have given clear consent. The wording of this consent should be checked very carefully. From the European Commission:

‘If you do use customer consent when you record personal data, you should review how you seek, obtain and record that consent, and whether you need to make any changes. Consent must be ‘freely given, specific, informed and unambiguous’. Essentially, your customer cannot be forced into consent, or be unaware that they are consenting to processing of their personal data. They must know exactly what they are consenting to, and there can be no doubt that they are consenting. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity.

If consent is the legal basis relied upon to process personal data, you must make sure it will meet the standards required by the GDPR. If it does not, then you should amend your consent mechanisms or find an alternative legal basis. Note that consent has to be verifiable, that individuals must be informed in advance of their right to withdraw consent and that individuals generally have stronger rights where you rely on consent to process their data. The GDPR is clear that controllers must be able to demonstrate that consent was given. You should therefore review the systems you have for recording consent to ensure you have an effective audit trail.’

[[5]](https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/principles-gdpr/purpose-data-processing/can-we-use-data-another-purpose_en).

It is very important to ensure that data is used for the purposes that the user consented to. However, in some cases, data can be used outside of what it was collected for. To do this in a legal manner, some additional steps need to be implemented. The most important of these is ensuring that the user data can no longer be linked back to any individual through what is called ‘data anonymisation’. The most straightforward way to handle data anonymisation is by building it into your applications from the beginning, however it can also be done as an additional processing step after the data has been collected. If you are unsure how to approach data anonymisation, seeking guidance from those with expertise in both data management and GDPR compliance is necessary.

CloudAlto

If you have any uncertainties about any of what was mentioned above, we can assist you in your GDPR strategy. We are capable of developing and delivering solutions to review and create an inventory of your infrastructure. We can also help you with data anonymisation, whether as part of your existing application or as an add-on service through our automated anonymisation tooling.