Data Privacy and GDPR

The General Data Protection Regulation (GDPR) came into force on May 25, 2018. The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). 

The EU General Data Protection Regulation (GDPR) guidelines require that organizations protect the personal data and privacy of EU citizens not only for transactions that occur within the European Union, but also any transaction affecting EU citizens, regardless of their location. All organizationsregardless of their location or size that control or process personal data of subjects in the European Union must comply with GDPR.

What exactly do personal data means in GDPR? According to GDPR, personal data span any information “relating to an identified or identifiable natural person (‘data subject’)” and such identifiers can include a name, some sort of identification number, an email address, or even “one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Rights of Data Subjects:

Under GDPR, data subjects have the following rights with regards to their personal information:

  • the right to be informed about the collection and the use of their personal data
  • the right to access personal data and supplementary information
  • the right to have inaccurate personal data rectified, or completed if it is incomplete
  • the right to erasure (to be forgotten) in certain circumstances
  • the right to restrict processing in certain circumstances
  • the right to data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services
  • the right to object to processing in certain circumstances
  • rights in relation to automated decision making and profiling
  • the right to withdraw consent at any time (where relevant)
  • the right to complain to the Information Commissioner

There are essentially two main responsibilities for organizations to meet GDPR compliance: They must store and manage personal data in a way that makes the data accessible and removable for the data subject, and they must secure and protect those personal data in transit and at rest. But those responsibilities change whether the organization is the data processor or data controller, though many organizations act as both in some capacity.

A processor is a “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller." The controller refers to the “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data." In simple terms, controllers collect the data and processors do something with the data. But both controller and processor must act in compliance with GDPR and protect data from unauthorized access, destruction, loss and disclosure.

It is important to dive deeper into the nuances of the terms “privacy” and “protection” as they relate to digital data movement and data processing, as such nuances can have different implications in how enterprises manage personal data and meet GDPR compliance mandates.

Data Privacy and Data Protection

Data privacy and data protection certainly are similar terms and often overlap, but they are not always synonymous. Data protection is the practice or process of safeguarding information from corruption and loss. Data privacy (or information privacy) is related to organizations’ processing rules and practices and regulates controllers and processors from using data in a wrongful manner.

More simply, data protection involves securing data against unauthorized access, while data privacy involves what happens with those who have authorized access. Data protection is usually centered on securing information and may include encryption, secure communications protocols and measurable security policies. Data privacy might best be considered a legal issue that focuses on how personally identifiable information (PII) is collected, stored and used. The focus of data protection, then, is security, whereas data privacy has more to do with how the information is governed and used.

Such differences are important to the privacy and cyber security discussions facing organizations today, especially those subject to compliance mandates such as the US Sarbanes-Oxley Act (SOX), the US Health Insurance Portability and Accountability Act (HIPAA), and, of course, GDPR. Consequently, both the movement and processing of data—and the business procedures around those workflows—must be considered, measured and monitored to adhere to required compliance standards.

In a digital business context, data protection does not always equal data privacy, and, although it is possible, it is extremely difficult to ensure privacy when digital data are not protected by technology. If someone can maliciously use an individual’s personal information, its privacy is wholly uncertain. It is important that organizations that act as the data processor and controller employ data protection technologies, including copy data protection, encryption, managed file transfer, secure integration and others that help to fortify the governance processes of the data.

The Importance of Processes

The GDPR mandate puts considerable emphasis on data processes, including the integration and ingestion—the processing—of the data. Thus, organizations are beginning to think about privacy from not only a protection standpoint (how they can secure it anywhere), but also from a process protection standpoint (how they can govern data use every step of the way).

Because nearly everything an organization does with data constitutes processing; virtually every process involves data transfer at some level. For industries including healthcare, financial services, and logistics and transportation, data transfer is core to basic operations, and any action on data, including internal transfers, external transfers, storage, viewing, analyzing, changing, synchronizing and replicating, is, technically, a processing event.

Examining the broader chain of custody around these events in correlation with every interaction and every process outlined by GDPR, data transfer is there. In fact, organizations may find it useful to ask themselves some questions about their overall technology stack:

  • How do business-to-business (B2B) data move through the enterprise resource planning (ERP) software, electronic data interchange (EDI) systems, and transportation and warehouse management systems along the supply chain?
  • Does the organization transform a partner’s flat file into an IDOC so it can ingest into the organization’s SAP system?
  • If the organization uses a cloud storage repository, what is the cloud integration process that gets the data there safely?
  • For the Sales force customer relationship management (CRM) system powering the organization, what integration processes have to happen to keep it up to date with purchasing, billing and shipping information from other applications?
  • How is information moved into and out of the data warehouse feeding the data analytics platform?

Even though it is behind the scenes for most organizations, data movement is at the core of every business process, and it is an organizational responsibility to protect that data in all manner of transfer, including B2B, ground to cloud, system to system, application to application, system to person, and person to person.

If any action on digital data throughout the ecosystem is technically a processing event, technology must be in place to properly secure and govern those events. So how do these organizations, which are simultaneously data processors and controllers, employ the right balance of technology usability, security and governance to ensure that data get moved, integrated and processed in accordance with their compliance needs? The answer for many organizations is ecosystem-driven integration platforms.

Securing Data and Data Processes

In the new world order of GDPR and the associated need to secure and govern data flows across firewalls, the road to compliance is paved with technology. GDPR and other compliance mandates require organizations to provide some level of personal data protection and, to do that, organizations need to secure, govern and control their data flows and prevent unauthorized access and use.

Encryption and secure file transfer technology are common means of protecting data, but they do not explicitly enable the data’s privacy. The governance and policy enforcement mechanisms do that. So, for many purposes, data privacy is a subset of data protection and is often a side effect of smart policy when that policy provides broader protection.

In a B2B landscape, business data move among systems, applications and people that organizations cannot inherently control. That is why compliance and governance—key aspects of the modern business ecosystem—are so difficult to implement without the right core integration platform. Modern organizations gain a step in providing both protection and privacy of digital personal data when they upgrade their data processes using advanced integration technology.

Ecosystem-driven integration platforms protect data processing events when data are in transit and at rest with end-to-end encryption so that only authorized users can access the data. They also provide mechanisms to govern and control every aspect of the integration process, whether application programming interface- (API-) or file-based integrations. This governance, enabled by a robust orchestration engine, consistency and dependability, ensures that personal and sensitive information can be properly handled, whether encrypted or not. Protection of those interactions and the processes surrounding them is just as critical. It requires support for a multitude of methodologies and standards, including standards for securing and managing all aspects of data movement, and securing the platform and providing robust auditing and reporting around access, initiation and termination of any integration-dependent process.