Making Sense of the EU General Data Protection Regulation

Making Sense of the EU General Data Protection Regulation

January 14, 2016 0 Comments
Making Sense of the EU GDPR 870x220

Sunil Belgaonkar takes us through the most important aspects of the new GDPR and how it affects you.

Happy New Year to you! 

You’ve probably heard of the European Union’s upcoming General Data Protection Regulation. This regulation aims to enhance privacy and strengthen data protection rights for EU citizens by defining, among other things, “Principles Relating to Data Quality,” “integrity and confidentiality,” a “right to portability” and a “right to be forgotten.”

Even if you already have an existing privacy solution or do not have offices in the EU, you can’t afford to overlook this regulation. Because it has been designed to cover all business applications that address EU citizens, even if those applications are developed and/or operated by companies outside of Europe, you’re almost certainly bound by it if your business touches the European market. Ignoring this fact could lead to large fines.

Once the regulation is approved, the EU has stated that there will be a two year transition period used to advise citizens of their rights and companies of their obligations. The net result will be companies prioritizing ‘GDPR compliance’ on their list of requirements when procuring (or renewing) IT products and services.

I have gathered this summary from different sources, and I highly recommend that you read the entire text of the regulation and talk to your corporate legal team to understand the actual implications of this regulation for your business.

What is the GDPR?

The European Commission plans to unify data protection within the European Union (EU) with a single law, the General Data Protection Regulation (GDPR or the regulation). The regulation aims to enhance privacy and strengthen data protection rights for EU citizens. The previous EU Data Protection Directive 95/46/EC did not consider important aspects such as globalization, and was developed before recent technological developments, including social networks and cloud computing. The Commission determined that new guidelines for data protection and privacy were required. 

A couple of weeks ago, EU Parliament’s Civil Liberties Committee announced that they had reached agreement on the text for the EU’s new General Data Protection Regulation, which will replace the aging 1995 Data Protection Directive (read the full text here) as the EU’s data protection law. 

As a regulation, as opposed to a twenty-year-old mere directive, it directly imposes a uniform data security law on all EU members. Once it receives the approval of the EU Parliament, it will become the law in every member state, thereby harmonizing EU data protection and privacy law from A(msterdam) to Z(agreb).

Does the GDPR Affect Me?

Article 3 of the GDPR states that any company that markets goods or services to EU residents may be viewed as subject to the GDPR, regardless of whether the company is located or uses equipment in the EU or not. This provision essentially makes the GDPR a worldwide law, as many entities—think app developers to e-commerce companies and multinational corporations—want or need access to the European market, even if they do not have any European offices.

What if I Don’t Comply with the GDPR?

Article 79 states that a company that violates certain provisions of the GDPR—such as the basic processing principles or the rules relating to cross-border data transfers—may be subject to fines amounting to 20 million Euros or 4% of the company’s total worldwide annual turnover. Remember, GDPR is about protecting the privacy of EU citizens’ data—irrespective of where the ‘violator’ is based.

Article 32 states that the controller does not have to provide notice to data subjects if the controller had implemented “appropriate technical and organizational protection measures” and applied those measures to the affected data.

Clearly, implementing the suggested protocols to prevent against a data breach is far more cost effective than having to inform every single data subject (EU citizen) of the breach and paying fines.

How Does This Affect my Application?

Under Article 6 of “Principles Relating to Data Quality,” member states are required to ensure that personal data be processed fairly and lawfully; collected for specified and legitimate purposes; adequate, relevant, and not excessive given the purposes for which the data was collected and processed; accurate and kept up to date, where necessary.

Article 5 adds an additional “integrity and confidentiality” principle, which requires that data be “processed in a way that ensures appropriate security of the personal data.” 

Article 18 of the GDPR grants data subjects a “right to portability” with regard to personal data of theirs that is automatically processed. This provision allows data subjects to more easily transfer their personal data from one application to another. A data subject also has the right to receive any personal data he or she provided “in a structured and commonly used and machine-readable format.” 

Article 17 sets out the “right to erasure,” also known as the “right to be forgotten,” which gives a data subject the right to order an application to erase any of the data subject’s personal data in certain situations. 

If your application collects personal data or processes any personal data, you may want to take a look at the details of the regulation and plan on being compliant ASAP.

Who Will Monitor Compliance to the GDPR?

Article 35 requires companies whose core activities involve large-scale processing of personal data—defined as information that reveals a data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health or sex life, or sexual orientation—to designate a Data Protection Officer.

Under Article 37, Data Protection Officers must provide advice about, and monitor compliance with, the Regulation, as well as serve as the contact person for communications with the relevant supervisory authority. In addition, there will be regular periodic audits by supervisory authorities.

What Should I do if there is a Data Breach?

Article 31 of the Regulation sets out a single data breach notification requirement designed to be applicable across the EU. The rule requires controllers to notify the appropriate supervisory authority of the personal data breach within 72 hours of learning about the breach.

When Would the GDPR Become Effective?

As stated above, once approved, there will be a two year transition period. Expect it to take effect sometime in 2018.

How Can I Secure my Applications?

You’ll need to review your applications carefully to make sure they are compliant. I’m happy to report that Progress® OpenEdge® is already equipped to meet the needs of the “integrity and confidentiality” clause detailed in Article 5 in a number of key ways, saving you time and worry:

  • One way organizations are looking to resolve data security is through the encryption of data at rest. Without a valid user/password to the database, encryption will make sure that personal data is protected in a production environment and even when it is backed up to other locations for disaster recovery. To encrypt data at rest, OpenEdge RDBMS Advanced Enterprise Edition provides Transparent Data Encryption (TDE). This encryption solution is built into the database without needing any application changes to encrypt the application data. TDE provides flexible configuration, so an entire database, a table or a specific column in a database can be encrypted.
  • Requiring industry standard authentication to access your application is also key to protecting personal data in transit. Progress Application Server for OpenEdge (PASOE) provides industry standard security and authentication via Tomcat and Spring Security.
  • Finally, Progress OpenEdge 11.6 brings all these aspects together by providing security updates to the entire platform by supporting the latest versions of SSL and TLS protocols. This means personal information is secure while passing data between different application components.

Don’t forget that early compliance with GDPR can be a marketable factor for your business application. Taken as an opportunity, the GDPR can be your chance to differentiate yourself from competitors.

I hope this article provides you with enough content to get started, and drives home the point that the GDPR is coming soon—and you should start planning for compliance ASAP.

Sunil Belgaonkar

Sunil Belgaonkar brings more than 22 years of software industry experience to his position at Progress, and is currently responsible for the strategy and direction of OpenEdge business.

Read next Blocking Out the Bad Actors with Better Application Security
Comments are disabled in preview mode.