GDPR ASSESSMENT AND COMPLIANCE
Introduction
On May 25, 2018, a European privacy law is due to take effect that will set a new standard for privacy rights, security, and compliance. The General Data Protection Regulation, or GDPR, is fundamentally about protecting and enabling the rights of individuals to privacy. The GDPR establishes strict global privacy requirements governing how organizations manage and protect personal data while respecting individual choice — no matter where data is sent, processed, or stored. GAC and its clients are now working to comply with the GDPR. At GAC, we believe that privacy is a fundamental right, and we believe that the GDPR is an important step forward in clarifying and enabling individual privacy rights.
GAC uses Microsoft Azure, which is a growing collection of integrated cloud services that developers and IT professionals use to build, deploy, and manage applications through Microsoft’s global network of datacenters. As a part of Microsoft’s commitment to GDPR compliance, GAC is following Microsoft’s guidelines and uses a variety of the technological capabilities that Microsoft offers.
Understanding the GDPR – a primer
GAC’s partners and clients have for obvious reasons asked if GAC is GDPR-compliant, and if GAC can explain how it has addressed some of the fundamental and critical questions about the regulation and about compliance. Consequently, this brief has been created.
What is the GDPR?
The GDPR is the European Union’s new data protection law. It replaces the Data Protection Directive (the “Directive”), which has been in effect since 1995. While the GDPR preserves many of the principles established in the Directive, it is a much more ambitious law. Among the most notable changes, the GDPR gives individuals greater control over their personal data and imposes many new obligations on organizations that collect, handle, or analyze personal data. The GDPR also gives national regulators new powers to impose significant fines on organizations that breach the law.
Does the GDPR apply to GAC?
The GDPR applies more broadly than might be apparent at first glance. It imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data tied to EU residents. It applies to organizations that are established in the EU, that offer goods or services in the EU, or that monitor the behavior of EU residents. Unlike privacy laws in some other jurisdictions, the GDPR applies to organizations of all sizes and all industries. The EU is often viewed as a role model on privacy issues internationally, so GAC expects to see the concepts in the GDPR being adopted in other parts of the world over time.
When will the GDPR come into effect?
The GDPR will take effect on May 25, 2018. It actually became law in April 2016, but in recognition of the significant changes that some organizations have to make to align themselves with the regulation, a two-year transition period was included.
Organizations should not expect any grace period from regulators after May 25, 2018. Some EU member state regulators have already said on record that there will be no enforcement holiday for organizations that fail to comply.
What are the main requirements of the GDPR?
The GDPR imposes a wide range of requirements on organizations that collect or process personal data, including a requirement to comply with six key principles:
- Transparency, fairness, and lawfulness in the handling and use of personal data. GAC explains clearly to individuals how it uses personal data, and does also need a “lawful basis” to process that data.
- Limiting the processing of personal data to specified, explicit, and legitimate purposes. GAC will not re-use or disclose personal data for purposes that are not “compatible” with the purpose for which the data was originally collected.
- Minimizing the collection and storage of personal data to that which is adequate and relevant for the intended purpose.
- Ensuring the accuracy of personal data and enabling it to be erased or rectified. GAC will ensure that the personal data it holds is accurate and can be corrected if errors occur.
- Limiting the storage of personal data. GAC will ensure that it retains personal data only for as long as is necessary to achieve the purposes for which the data was collected.
- Ensuring security, integrity, and confidentiality of personal data. GAC keeps personal data secure through technical and organizational security measures.
Examples of requirements of the GDPR related to the above principles
- Under the GDPR, individuals have a right to know if an organization is processing their personal data and to understand the purposes of that processing. An individual has the rights to have his or her data deleted or corrected, to require that it no longer be processed, to object to direct marketing, and to revoke consent for certain uses of the data. The right to data portability gives individuals the right to move their data elsewhere and to receive assistance in doing so.
- The GDPR requires organizations to secure personal data in accordance with its sensitivity. In the event of a data breach, data controllers must generally notify the appropriate authorities within 72 hours. Additionally, if the breach is likely to result in a high risk to the rights and freedoms of individuals, organizations must also notify the affected individuals without undue delay.
- There must be a legal basis for the processing of personal data. Any consent to the processing of personal data must be “freely given, specific, informed, and unambiguous.” There are unique consent requirements to protect children under the GDPR.
- Organizations must conduct data protection impact assessments to predict the privacy impacts of projects, and employ mitigations as needed. Records of processing activities, consents to process data, and compliance with the GDPR must be maintained.
- GDPR compliance is not a one-time activity, but a continuing process. Non-compliance can result in significant fines. To ensure compliance with the GDPR, organizations are encouraged to embrace a culture of privacy, to protect the interests of individuals in their personal data.
Does the GDPR apply to GAC?
The GDPR applies more broadly than might be apparent at first glance. Unlike privacy laws in some other jurisdictions, the GDPR applies to organizations of all sizes and all industries. Specifically, the GDPR applies to:
- the processing of anyone’s personal data, if the processing is done in the context of the activities of an organization established in the EU (regardless of where the processing takes place);
- the processing of personal data of individuals who reside in the EU by an organization established outside the EU, where that processing relates to the offering of goods or services to those individuals or to the monitoring of their behavior.
The EU is often viewed as a role model on privacy issues internationally, so GAC expects to see concepts in the GDPR being adopted in other parts of the world over time. Moreover, GAC also expect professional advertisers not to advertise in various digital channels that isn’t or cannot substantiate GDPR compliance.
How does GAC know if the data that GAC is processing is covered by the GDPR?
The GDPR regulates the collection, storage, use, and sharing of “personal data.” Personal data is defined very broadly under the GDPR as being any data that relates to an identified or identifiable natural person. This can include data such as online identifiers (e.g., IP addresses), employee information, sales databases, customer services data, customer feedback forms, location data, biometric data, CCTV footage, loyalty scheme records, health and financial information, and much more. Indeed, the term is so broad that it can even include information that does not appear to be personal — such as a photo of a landscape with no people in it — if that information is linked by an account number or other unique code to an identifiable individual. Even personal data that has been pseudonymized can be personal data, if the pseudonym can be linked to a particular individual.
GAC is aware that the processing of certain “special” categories of personal data — such as data revealing a person’s racial or ethnic origin, or concerning their health or sexual orientation — is subject to more stringent rules than the processing of “ordinary” personal data.
Although the rules differ somewhat, the GDPR applies to organizations that collect and process data for their own purposes (“controllers”) as well as to organizations that process data on behalf of others (“processors”). This is a shift from the existing Directive, which applies primarily to controllers. GAC, as a processor, must therefore implement measures to comply with the GDPR, which is why GAC has established its own GDPR Compliant Program.
The process of being GDPR compliant
The systems that GAC uses to create, store, analyze, and manage data can be, are, and will be spread across a wide array of IT environments: personal devices, on-premises servers, cloud services, even the Internet of Things (IoT). This means that most of GAC’s IT landscape could be subject to the requirements of the GDPR.
GAC’s efforts to comply with the GDPR will be best served by looking at the requirements holistically and within the context of all GAC regulatory and legal privacy obligations. For instance, many of the security controls required by the GDPR to prevent, detect, and respond to vulnerabilities and data breaches are similar to the controls expected by other data protection standards, such as the ISO 27018 cloud privacy standard. Rather than separately tracking the controls required by each individual standard and regulations, a better practice is to identify an overall set of controls and capabilities to meet these requirements.
Likewise, rather than assessing individual technologies and solutions against a comprehensive regulation such as the GDPR, taking a platform view — such as encompassing what Windows and Azure provide — provides a clearer path to ensuring that GAC is complying not only with the GDPR, but also with other requirements important to GAC.
GAC’s GDPR Compliant Program focuses on four key steps:
- Discover – identify what personal data is stored and where it is stored.
- Manage – govern how personal data is used and accessed.
- Protect – establish security controls to prevent, detect, and respond to vulnerabilities and data breaches.
- Report – execute on data requests, report data breaches, and keep all required documentation.
How GAC conducted its GDPR compliance assessment (Step 1)
Discover: Identify what personal data that is stored and where it is stored.
The first step towards GDPR compliance is to assess to what extent GDPR applies. This analysis starts with understanding what data GAC has and where it resides.
Does the GDPR apply to GAC’s data?
The GDPR regulates the collection, storage, use, and sharing of “personal data.” Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person.
The term “personal data” means, but is not limited to, data in customer databases, in feedback forms filled out by GAC’s users (app providers, content providers and end users), e.g. text-based content, photos, CCTV footage, data from loyalty program records and HR databases or anywhere else that GAC wishes to collect. If the data belongs to or relates to EU residents, then GAC must comply with the GDPR. Note that personal data doesn’t have to be stored in the EU to be subject to the GDPR. The GDPR applies to data collected, processed, or stored outside the EU provided that data is tied to EU residents.
Building the GAC inventory
To understand whether the GDPR does apply to GAC, and if it does, what obligations it imposes, it is important that GAC take an inventory of its data. This has helped GAC to understand what data is personal, to identify the systems where that data is collected and stored, understand why it was collected, how it is processed and shared, and how long it is retained. Below are some examples of specific ways in which GAC’s Azure-based cloud environment have helped GAC with GDPR’s first compliance step.
Azure Cosmos DB
GAC uses Azure Cosmos DB. It was built from the ground up, with global distribution and horizontal scale at its core. It offers turnkey global distribution across any number of Azure regions by transparently scaling and replicating your data wherever your users are. With its elastically scaled throughput and storage worldwide, users pay only for the throughput and storage they need. Azure Cosmos DB guarantees single-digit millisecond latencies at the 99th percentile anywhere in the world, offers multiple well-defined consistency models to fine-tune performance, and guarantees high availability with multi-homing capabilities — all backed by industry-leading, comprehensive service level agreements (SLAs).
Azure Blob Storage
GAC uses Azure Blob Storage, which is a service for storing large amounts of unstructured object data, such as text or binary data, that can be accessed from anywhere in the world via HTTP or HTTPS. You can use Blob storage to expose data publicly to the world, or to store application data privately.
Common uses of Blob storage include:
- Serving images or documents directly to a browser
- Storing files for distributed access
- Streaming video and audio
- Storing data for backup and restore, disaster recovery, and archiving
- Storing data for analysis by an on-premises or Azure-hosted service.
Azure SQL database services
GAC uses Azure SQL Database Services, which is a general purpose relational database service in Microsoft Azure that supports structures such as relational data, JSON, spatial, and XML. It delivers dynamically scalable performance and provides options such as columnstore indexes for extreme analytic analysis and reporting, and in-memory OLTP for extreme transactional processing. Microsoft handles all patching and updating of the SQL code base seamlessly and abstracts away all management of the underlying infrastructure.
How GAC has conducted its GDPR compliance assessment (Step 2)
Manage: Govern how personal data is used and accessed
The GDPR provides data subjects — the individuals to whom the data relates — with more control of how their personal data is captured and used. Data subjects can, for example, request that your organization shares data that relates to them, transfer their data to other services, correct mistakes in it, or restrict certain data from further processing in certain cases. In some cases, these requests must be addressed within fixed time periods.
Data governance
In order to satisfy GAC’s obligations to data subjects, GAC needed to understand what types of personal data it processes, how, and for what purposes. The data inventory previously mentioned is a first step to achieving this understanding. Once that inventory is complete, it is also important to develop and implement a data governance plan. GAC’s data governance plan defines policies, roles, and responsibilities for the access, management, and use of personal data, and ensures that GAC’s data handling practices comply with the GDPR.
Active Directory (B2B and B2C)
GAC uses Azure Active Directory (Azure AD) which is a comprehensive identity and access management cloud solution that provides a robust set of capabilities to manage users and groups. It helps to secure access to on-premises and cloud applications, including Microsoft web services like Office 365, and many non-Microsoft “software as a service” (SaaS) applications.
Azure AD has enabled GAC to provide single sign-on, to simplify user access to cloud applications from Windows, Mac, Android, and iOS devices. GAC’s clients can launch applications from a personalized web-based access panel, and even their mobile apps, using their company credentials or credentials from a larger social network such as Facebook, Instagram, Twitter and Google+. The Azure AD Application Proxy module can be used to go beyond SaaS applications and publish on-premises web applications to provide highly secure remote access and single sign-on.
Azure Multi-Factor Authentication prevents unauthorized access to on-premises and cloud applications by providing an additional level of authentication. This ensures that GAC protects its own business and its clients’ and partners’ businesses, and it mitigates potential threats with security monitoring, alerts, and machine learning-based reports that identify inconsistent access patterns.
Azure AD plays an important role in providing more control and security for GAC’s partners, clients and users as it delegates important tasks, such as resetting passwords and creating and managing groups. Provision of self-service password change, reset, and self-service group management is all possible with Azure AD Premium.
Azure Role-Based Access Control (RBAC) enables GAC to manage its access to GAC’s Azure resources. It enables GAC to grant access based on the user’s assigned role, making it easier to grant only the required permissions that users need to perform their jobs. GAC has customized RBAC so as to fit GAC’s business model and risk tolerance.
How GAC has conducted its GDPR compliance assessment (Step 3)
Protect: Establish security controls to prevent, detect, and respond to vulnerabilities and data breaches.
GAC understands the increasing importance of information security, but the GDPR raises the bar. It requires that organizations take appropriate technical and organizational measures to protect personal data from loss or unauthorized access or disclosure.
Protecting data
Data security is a complex area. There are many types of risk to identify and consider, ranging from physical intrusion or rogue employees to accidental loss or hackers. Building risk management plans and taking risk mitigation steps, such as password protection, audit logs, and encryption, can help to ensure compliance. GAC uses the Microsoft cloud as it is specifically built to help understand risks and to defend against them, and is more secure than on-premises computing environments in many ways. For example, GAC uses Microsoft’s datacenters, which are certified to internationally recognized security standards, protected by 24-hour physical surveillance, and have strict access controls.
Azure Security Center
GAC has chosen to use the following Azure services and tools to protect personal data in GAC’s cloud environment.
Azure Security Center provides GAC with visibility and control over the security of its Azure resources. It continuously monitors GAC’s resources and provides helpful security recommendations. It has enabled GAC to define policies for its Azure subscriptions and resource groups based on GAC’s security requirements, the types of applications that GAC uses, and the sensitivity of its data. It also uses policy-driven security recommendations to guide service owners through the process of implementing needed controls — for example, enabling antimalware or disk encryption for GAC’s resources. Security Center also helps GAC to rapidly deploy security services and appliances from Microsoft and partners to strengthen the protection of its cloud environment.
Data encryption
Data encryption in Azure secures GAC’s data at rest and in transit. For example, GAC automatically encrypts its data when it is written to Azure Storage, using Storage Service Encryption. Additionally, GAC uses Azure Disk Encryption to encrypt operating systems and data disks used by Windows and Linux virtual machines. Data is protected in transit between an application and Azure so that it always remains highly secure.
Key Vault
Azure Key Vault is used to encrypt keys and small secrets like passwords that use keys stored in hardware security modules (HSMs). For more assurance, to import or generate keys in HSMs, Microsoft processes GAC’s keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware). With Key Vault, Microsoft doesn’t see or extract GAC keys and GAC cannot see or extract GAC’s clients’ or partners’ or users’ keys. GAC monitors and audits its keys using Azure logging, by pipe logs into Azure HDInsight and GAC’s security information and event management (SIEM) solution for more analysis and threat detection.
How GAC have conducted the GDPR compliance assessment (Step 4)
Report: Execute on data requests, report data breaches, and keep required documentation
The GDPR sets new standards in transparency, accountability, and record-keeping. GAC has become more transparent not only about how it handles personal data, but also how it actively maintains documentation defining its processes and use of personal data. Record-keeping organizations processing personal data will have to keep records about: the purposes of processing; the categories of personal data processed; the identity of third parties with whom data is shared; whether (and which) third countries receive personal data, and the legal basis of such transfers; organizational and technical security measures; and data retention times applicable to various datasets. GAC uses auditing tools, which have helped to ensure that any processing of data — whether collection, use, sharing, or anything else — is tracked and recorded.
Auditing and logging
GAC uses Auditing and logging, which protects data by maintaining visibility and responding quickly to timely security alerts. Auditing and logging of security-related events, and related alerts, are important components in an effective data protection strategy. Security logs and reports provide GAC with an electronic record of suspicious activities and help GAC detect patterns that may indicate attempted or successful external penetration of the network, as well as internal attacks. GAC uses auditing to monitor user activity, for document regulatory compliance, to perform forensic analysis, and more.
GDPR Audit
GAC has formed a Compliance Team that consists of a Compliance Steering Committee and Compliance Implementation and Surveillance Unit. Four times per year, the Compliance Steering Committee requests a report containing randomly chosen subject areas from the Compliance Implementation and Surveillance Unit. Upon any unsatisfactory results, the Compliance Steering Committee creates a list of measures to be taken, which the Compliance Implementation and Surveillance Unit is to instigate.
Questions about GAC’s GDPR compliance
If the above information does not provide you with sufficient information on GAC’s GDPR compliance, you are welcome to send an inquiry to GDPR@globalappcasting.com.