General Data Protection Regulation – GDPR Compliance

by Snehashish Ghosh

Introduction to GDPR?

GDPR stands for General Data Protection Regulation.
GDPR is an “EU”- wide framework for the protection of personal data of EU-based individuals.

Why GDPR is Required?

The current ageing data protection laws have been created 20 years ago. A lot have changed since then. We have moved from Internet of Information to Internet of values, adopting fast with blockchain, hasgraph, IOT, AI. Now personal data is captured several times each day, all that data posses’ security risks. According to statistics in 2016 there were 3+ data breaches every week in UK. The GDPR regulation is more significant in current circumstances  as recently we observed how  facebook founder Mark Zuckerberg  mentioned  during Congress hearing that most of the focus of facebook so far was building tools to enable people connect with each other & security of processing and the platform was of slightly lesser priority than platform building. I am predicting more such data privacy related  issues  in coming days in GDPR regulations are not properly implemented with utmost importance and urgency.

GDPR Explained

GDPR is a new regulation managed by the Information Commissioners Office to protect the personal data of EU Individuals.

Personal data refers to any data by which a person can be identified like name, address, phone number, email id, national identification number, medical history, criminal records, financial records, bio-metrics, location data, online identity like username, ip address.

GDPR regulates the personal data Collection, processing, storage & transfer.

With the introduction of GDPR Individuals Will have the right to be told what information is held about them, they have the right to be forgotten & would have the right to data portability.

Organization will have 30 days to respond for any personal data related queries, will have to remove personal data of individual on request, provide information in machine readable format, collect & manage consent to process data or communicate with any person or follow individual around the web for user profiling. Organizations would need to appoint Data Protection Officer or DPO.

GDPR non-compliance could hit the organization with 4% of global revenue or 20 million euro whichever is higher.

GDPR Date of Enforcement May 25 2018

GDPR Article Relevance in Software Industry

GDPR has 99 articles and 173 recitals, out of which few articles has greater significance for Software Industry.

ARTICLE NO DESCRIPTION SIGNIFICANCE
25 Data protection by design and data protection by default It means that data processing should be limited to intended purpose. Data should be accessible only to people who need them.
30 Records of processing activities GDPR requires data controller and data processor to keep record of processing activities.
32 Security of processing mandates appropriate technical and organizational measures to ensure security appropriate to the risk
33 Notify data breaches within 72 hours to Controller/ Data Protection Officer, if any. is very important to rationalize or optimize penalty in case of data breach. Data controllers are required to report data breaches to Supervisory Authority by 72 hours. So organizations should be ready with an Incident Response Plan related to GDPR.
34 Communication of a personal data breach to the data subject Data Controller to report data breach to the data subject when there is a high risk to the rights and freedoms of data subject
35 Data protection impact assessment Data controller to assess how they intend to protect the rights and freedoms of data subject & document assessment details
44 General principle for transfers (Data transfers to third country or international organization) This is required to ensure security & enforce more restrictions on the transfer of personal data to countries outside EU.

 

GDPR New Roles & Responsibilities

The Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.  Ex: the owner of the software or business

The Data Processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the Data controller.  Ex: Software company providing service

Processing, in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including—

  1. a) organisation, adaptation or alteration of the information or data,
    b) retrieval, consultation or use of the information or data,
    c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
    d) alignment, combination, blocking, erasure or destruction of the information or data

 GDPR Compliance Architecture

GDPR ASSESSMENT

GDPR Compliance starts with GDPR Assessment, based on GDPR Assessment of the Software GDPR Prevention as well as Auditing & Reporting road-map is architected.

During GDPR ASSESSMENT first assess antivirus, firewall, vpn based access to application & database server to ascertain presence of secure network and infrastructure.

Then utilize the knowledge of the technical & functional aspect of the Software to identify sensitive personal information which is kept in the Software system.

Focus to achieve a good hygiene with Personal Data for Software by knowing what personal data Software collect, how Personal data is used, how personal data flows in/out of the Software system & then determined to do right things with the Personal data.

Find entities, attributes, views & view attributes that refers to sensitive personal data, find where the software needs security implementation to stop cross site request forgery(CSRF), cross site scripting(CSS),cookie manipulation & click jacking attacks. Identify User Interface or UI where personal data is displayed, check that whether the software allows files to be downloaded in xml format containing sensitive personal data, whether ssl/tls implementation has been followed rigorously, whether encrypted connection between database and application server not implemented and also check that in Android implementation whether SQL Lite data for Software is accessible under proper authorization and authentication and whether it can be accessed from other application.

Based on the result of GDPR ASSESSMENT identify the gap and GDPR modules that Software need to develop for GDPR Compliance:

Then start building the Software GDPR Prevention processes.

GDPR Prevention

 GDPR Global On/Off Switch

First of all implement GDPR with a Global On/Off switch. Clients who do not need Software GDPR can keep this in switch off state.

 GDPR Encapsulation Architecture

Then design the Data Encapsulation Module which combines the Anonymization, Pseudonimization and Encryption methods that Software would use to protect Personal Data at rest.

It’s should be a generic module which scans through the reference data comprising of defined sensitive attribute of Software system. The metadata comprises of which encapsulation method needs to be applied on each of the sensitive attributes based on sensitivity and data access requirement.

These modules needed to be designed with low impact on existing data model.

Points to be noted that database servers like Sql Server inbuilt functions for encryption & decryption always store the encrypted data in varbinary format. To avoid the datatype change and associated complexity, there might be a requirement to implement encryption module using as-is or an improvised form of different cryptographic algorithms like Feistel cipher algorithm.

An example of Fiestel Cipher is to coverts each character to ascii, then 8 digit binary,divide the reversed number in Left and Right, then apply complex key on Left and Right and reverse the position. Then the modified Left & Right is combined and converted to 3 digits decimal. Decryption of data follows the reverse logic.

Here encryption key plays an important role to ensure security of data. Encryption keys are generated at the beginning of an implementation and existing set of keys could be invalidated and new keys could be added back. Keys are always added with random number and before applying a key on a dataset a combination of 3 keys are chosen randomly and converted to binary format while used at runtime.

Keys could be kept in separate sqlserver instance or separate database.

For data pseudonization ceaser cipher could be used, which is a type of cyclic substitution cipher in which each letter in the plaintext is ‘shifted’ a certain number of places down the alphabet.

Pseudonymization process is mainly used in Software to mask numbers and data with low importance level.

Each byte of the VALUE is pseudonymized by performing addition of its ASCII value + value of the KEY, In case of de-pseudonymization subtraction is performed.

Data Annonymization can be implemented by Nulling on text field and Randomization on numeric. NULLING replaces the text with ‘X’ and Randomization replace numbers with a random number. Once data is anonymized data is destroyed and cannot be retrieved.

The reverse of the Encapsulation is applied during data deencaptulation.

The encapsulation and deencapsulation modules are invoked during insert,update operation in Software. All the insert, update operations are passed through a common method at java layer, annotations have been defined to intercept method, it will only intercept if sensitive data is involved during the insert, update operation. go0gle guice is a very good utility for method interception.

While data encapsulation is used during dml operation, de-encapsulation is used during select operation.

GDPR Access Control Architecture

All these are controlled by the Data Access Control module. It’s a mapping between user and GDPR role configured for each user of the system. The GDPR role explicitly defines the right of the user of Software system. It controls the sensitive data access of the user. Whether a Software user can perform GDPR sensitive data Insert,update, whether the user can see sensitive data in raw or encrypted format is defined by the GDPR role. During method interception for insert,update,select it first checks the cached Access Control data to retrieve the GDPR access rights of the user. If the user is allowed to see actual data then only de-encapsulation method is invoked for the screen containing personal data, otherwise that user will view encrypted data.

So GDPR Access Control & Encapsulation mechanism is very closely related.

 XML File View

Apart from these at the java layer the software might need to implement xml tag based personal data masking where user who do not have GDPR right to view personal information would see only masked data while previewing or downloading the xml files in the UI.

User Consent Management Architecture

The User Consent Management module have built-in capability to send Privacy Notice to a user through email requesting for their consent .The email contains a link to Yes and No consent which is validated through a dynamic key which remains valid for a preconfigured time. If a negative consent is received Software has the option to exercise the right to be forgotten by removing the data of that particular person or notifying the Data Controller for negotiation. If a positive consent is received then the date and time of consent is recorded in the system. There should be a repeat interval and maximum no of reminder to get consent from a person. If consent is not received after defined retries then a report is sent to the controller for further action. As Software would most of time play a Data Processor role, this module is an enabler for Data Controller to use the platform for consent management.

GDPR Auditing and Reporting Architecture

The Auditing and reporting framework, which again uses the GDPR encapsulation and de-encapsulation method to track the DML and SELECT operation performed through the frontend.

POC & experimentation with Change Data Capture & Database auditing proved that those needed additional configuration and comes with additional administrative overhead and also there was a risk of performance degradation. So application level sensitive data access is trapped within the process of GDPR DML and Select.

For admin user activity logging Software should use databases like sqlserver built-in event notification mechanism. We need to enable DDL_CHANGE_QUEUE.  Two SQL server audit object need to be created one for auditing super user SELECT and another for all super user DML operations. At the end of each week, fortnight or month audit report need to be published in html format describing the sensitive data access by all users including superuser and also all ddl,dml operation performed by admin users.

Data Breach Notification

GDPR mandates Data Breach Notification within 72 hours of such data breach occurrence to minimise penalty, so its a very important feature for any GDPR compliance implementation project. And also based on software feature and functionality data breach algorithm would undergo regular changes to address latest enhancements to the software system. So Data Breach Notification module need to be flexible & robust to absorb future changes without much change in underlying code. So there should be a seamless rule addition, rule modification & rule removal feature in built to the software.

One of the method to identify data breach is to activate action group-LOGIN_FAILED for auditing failed login attempts.

The data breach framework should be in place for identifying data breach and instant notification to data controllers and stakeholders.

GDPR Data Minimization

GDPR Data Minimization should be a configurable process which could be configured to reduce data from the entities of the business which have been defined as not needed, could be archived or could be put under history. As GDPR mandates data should be retained only for the required duration this module would help the project to get rid of unwanted data on a regular or adhoc basis.

Conclusion

In a nutshell, GDPR compliance is required to get a competitive advantage and avoid millions in penalty and GDPR compliance could be achieved only by Identifying Personal Data, by Identifying appropriate technical and Organisational safeguards and understanding Legal & Regulatory obligations.

Reference

http://gdpr-info.eu

http://eugdpr.org

http://ec.europa.eu

https://ico.org.uk/media/for-organisations/documents/1546/data-controllers-and-data-processors-dp-guidance.pdf

Wikipedia

Leave a reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">

*