If you’re the least bit active in any sort of professional organization, chances are you’ve already heard of GDPR.
The EU commissioned new regulation called the General Data Protection Regulation, or GDPR as it’s more commonly known, will take effect on May 18th, 2018. It will replace the old Data Protection Directive as the privacy law in place. But what does it mean and how does it affect those doing DevOps under GDPR?
First thing first – even if you’re compliant with the old directive, there’s most likely work needed to be done to ensure compliance with GDPR.
In effect, all companies affected by GDPR must be compliant before May 18th or risk facing serious fines up to 20 million euros. The law actually took place in 2016 but considering the changes some need, a two year transition period was included. Regardless, GDPR is indeed a step forward.
With the GDPR, the European Union has set a new global bar for individual privacy rights. It’s not only about protecting your personal data. In addition, the GDPR aims at giving individuals insight into what and why personal data is being processed.
It doesn’t matter where the data is being processed, sent or stored – GDPR requirements apply to all personal data concerning EU citizens.
Key principles of GDPR
The overall goal of GDPR is to create a more standard protection regarding personal data concerning EU citizens. The EU (and us here at Solidify, as well as many others) believe that privacy is a fundamental right. However, we also realize that the new regulations place tougher requirements on organizations and companies.
Here are the 6 key principles to remember – not only when doing DevOps under GDPR:
- Lawfulness, fairness and transparency
- Purpose limitations
- Data minimization
- Storage limitations
- Integrity and confidentiality
We will take a closer look at each of these, but first things first. How do you know if GDPR applies to you and your organization?
Whether or not GDPR applies to your organization
The short answer: it most likely does. In fact, the GDPR applies a lot more broadly than you might expect – it can be applied regardless of organization size, location and industry.
Some application rules to keep in mind:
- GDPR applies to the processing of personal data of individuals within the EU, even if the organization or its activities takes place outside the EU. This includes offering products or services as well as monitoring their behavior.
- GDPR applies to the processing of anyone’s personal data, if that processing is done in the context of the activities of an organization established within the EU. This applies regardless of where the processing takes place.
But what counts as personal data within GDPR?
What does and what doesn’t count as personal data within GDPR certainly makes a huge difference to the ones processing it. It is purposefully defined broadly as any data that concerns an identified or identifiable natural person (this person is also known as the data subject). The specific definition reads as follows:
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
A few examples of personal data includes:
- Names, such as family names or first names
- Location data, such as addresses
- Online identifiers, such as IP addresses
In addition, a subset within personal data is called sensitive data. As expected, the sensitive data refers to specific personal data that should be handles with extra care and protection. Some examples of sensitive data are:
- Political opinions
- Racial or ethnic origins
- Religions or philosophical beliefs
1. Lawfulness, fairness and transparency
The first principle of GDPR is to ensure that any personal data processing is being done fairly and openly. The organization in question needs to provide the data subjects (the natural person to whom the personal data refers) with information regarding what processing will be done, why the data is being collected and how it’s being used.
2. Purpose limitations
According to the GDPR, any organization collecting personal data is only allowed to do so for “specified, explicit and legitimate purposes”. In layman’s terms, you can only use personal data for the exact reasons the subject has agreed to.
The big thing regarding this limitation is consent. Whether you’re a service provider, phone sales company or a software developer doing DevOps under GDPR, you need consent to use personal data.
3. Data minimization
In the third principle, GDPR targets the amount of data needed to execute any given activity. The general rule is to not process any more personal data than is absolutely necessary to carry out the task. For example, you won’t need to store a person’s entire family records if all you need to know is whether or not the person is married.
This principle ensures that if a data breach were to happen, the damage is minimal. Often times you collect all data you can think of just because you can. This principle requires you to take a good look at what data you’re collecting, and why.
As you probably already guessed, the fourth principle is about keeping your records straight and up to date. If any personal data you store is incorrect or outdated, you need to put in effort to update it.
Sometimes that task itself can prove impossible – in these cases, the information must be removed or made anonymous.
5. Storage limitations
Within the storage limitations of the GDPR, the EU targets the duration of which personal data is being processed. Any data that’s not specifically required after a certain amount of time or after a certain activity is carried out, should be removed.
In addition, the GDPR requires that organizations create and provide a retention policy. This policy serves to explain what type of information will be deleted, and when.
6. Integrity and confidentiality
Finally, we reach the last principle. As for integrity and confidentiality, you and your organization have a responsibility to guarantee security of the personal data you process.
This covers more than technical security; you need strong authentication methods, permission control, adequate password length and ensure protection against accidental data loss, destruction or damage. On top of that, you should continuously review your security and take action if needed.
There’s a lot to learn and remember about the GDPR. When navigating these coming months leading up to May 18th, the above principles are a good start. Without a doubt, most organizations need to review how, why and what data is being stored.
The next article in this series will focus more on how you can do DevOps under GDPR.
Have you started working towards GDPR compliance? What issues have you faced? Let us know in the comments below!