Articles

20 April, 2018

GDPR Compliance: the Guide to the General Data Protection Regulation

12 mins read 1269 views

Igor Chief Technical Officer, Aimprosoft

GDPR Compliance: the Guide to the General Data Protection Regulation article image

In today’s interconnected world the notion of security goes beyond the inviolability of private property, estate, and of the person. In the era of extensive hacking and breaching of data sooner or later the question of protecting the private information of people had to be reviewed. As we are partnering with clients not from the USA but also from the EU, the issues related to the compliance of data protection regulations concern us as well.

Hence, in this article, we’re going to investigate the much-talked-about topic of GDPR regulation coming into effect in one month on the territory of the European Union. Also, we will consider what obligations on non-EU providers of software services for EU located clients it will impose, the ways to get started on the right path with compliance, and how to avoid being fined for non-compliance.

GDPR overview

In 1995 the European Union adopted the Data Protection Act (officially Directive 95/46/EC) to standardize diverging data protection legislation among all 28 EU member countries. In April 2016 the General Data Protection Regulation (GDPR) was adopted to repeal obsolete Directive 95/46/EC and supersede it. The legislative changes come into force on the 25th of May introducing greater potential fines for misuse.

Briefly, the GDPR stands up for empowering persons more than organizations to control the information they entrust to be collected and used by companies.

Who is who in terms of GDPR

There is no “one-size-fits-all” policy for data exchange over the world community. But the only thing that brings people together is having rights to share or not the information on their own free will. Nevertheless, it is entirely justified to create a regulatory environment for citizens and economic operators affecting in the circumstances of the digital economy.

First of all, let’s make it clear about GDPR definition and basic terms of it.

GDPR lays down a strict and clear code of laws relating to the protection of natural persons private data usage and free movement. On the language of the GDPR, a natural person is defined as data subject when personal information about him/her is under processing. Data controller or data processor have the potential to process people’s information. Hence, Data Controller is named the entity which determines the goals, predefined conditions, and in what way data of individuals will be processed. And the data processor up to the law is considered to be the entity that processes data commissioned by the data controller.

In other words, all data with names, addresses, gender, etc. are specified as Data Subject. In this context, Data Processor is a non-EU software outsourcing company in terms of outsourcing partnership. And Data Controller is a company-client based in the European territory and which engages in activities of using personal data of EU citizens.

The main changes concern a territorial scope and applicability. Under the GDPR requirements, the legislation is applied to all companies established inside and outside the EU which process private data of people residing in the European Union area.

What is personal data in terms of GDPR?

Personal data being subject to the EU GDPR are classified into two main types. Regular is considered personal data which fall within a name, address, or gender and other natural identifiers of the natural person. While personal data categorized as sensitive have now more extended covering with genetic and biometric data, health-related data, sexual orientation or sex life of individuals and require stronger grounds to process.

A broader scope of personal data identifiers looks that way:

Name ID (ID card number, age, picture, biometric data);
Location (GPS coordinates);
Cultural identity (race, national origin, language);
Believes (philosophical, religious);
Online behavior (cookies, browsing, demeanor);
Health-related data (physical and mental health, test results, prescriptions, case history, health history);
Physical factor (gender, height, weight, age);
Physiological factor (gender, preferences, proclivities);
Social identity factors (relationships, family, marriages, criminal activity, professional career, correspondence records);
Economic factor (account info, credit history, transactions, ownership).

Please, note, the list doesn’t show the exhaustive data identifiers. We would like to give you some examples of GDPR data elements related to your person arranged.

Art. 5 GDPR.Principles relating to processing of personal data

Lawfulness Fairless Transparency	The Data Subject has an inalienable right his/her personal data to be processed lawfully, fairly, and transparently.
Purpose limitation	Purposes of data collection should be specific, explicit, and legitimate only. No further processing is permitted.
Data minimisation	The data is required to be processed adequately, relevantly, and limitedly to the purposes, the data is used.
Accuracy	The data is expected to be accurate and updated. The personal data considered inaccurate should be erased and rectified.
Storage limitation	The personal data should be stored in a format which permits identification of data subjects for no longer than is necessary.
Integrity Confidentiality	The data should be processed in a manner of total protection against unauthorised data processing, loss, destruction through appropriate efforts.
Accountability	The Data Controller is responsible for proving its compliance.

How GDPR affects your business?

The European Commission attaches great importance to consumer trust. Lack of trust in data security inhibits investment in the digital environment. The largest holders of the tremendous data assets are consumer-facing companies. Retailers always ask consumers to enter their names, emails, home addresses, sign up with a code word of a favorite pet or mother’s maiden name, etc. Familiar to you?

What are the penalties for non-compliance?

GDPR requirements forced firms to delve into the protection issues for both sides who control and process personal data. And intricate as it may seem, the non-compliance with the law is not protected companies from being fined for breaches. If a controller or a processor commit violations intentionally or negligently, they will have to pay the penalty. The GDPR fines system is tired. Administrative fines make up to €10 mln for breaches or up to 2 % of the annual turnover. In the event, the gravity data protection infringements occur, financial penalties will cost enterprises 4% of global annual turnover from the preceding fiscal year or €20 mln.

The GDPR compliance statement reads companies are supposed to attach higher importance to obtaining explicit consumer consent. Legally speaking in the present case, the consent is regarded as a freely given, specific, informed and unambiguous evidence to process personal data of a single person. Let’s come at it with different angles.

Online data collecting

If a non-EU company conducts business on the territory of Europe or offers services or products online for the EU citizens as a B2C entity, it certainly falls under the terms of the General Data Protection Regulation. However, B2B-oriented companies are exempted from the obligation to comply with the law. It is worth noting, non-EU outsourcing software providers who are assigned to process data of natural persons from any of EU state members are responsible under the agreement for ensuring their EU customers (or customers who target on the European market) the data are properly processed.

Non-EU outsourcing processors

Outsourcing companies like Aimprosoft which provide software development services for clients located in Europe, in the United States, and the other areas of the world are not exonerated from liability for infringements committed intentionally or unintentionally. Controllers are the primary duty-bearers and can be held accountable for information leaking out. As for processors, which act on behalf of the controllers, they have to make secure data processing under the GDPR compliance directive as well. At the same time, controllers will be called to account for the empowerment of the third party to process data improperly.

72-hours rule

If it happened the personal data privacy was breached, companies are obliged to report without undue delay, or where feasible, about the fact to the EU regulator and notify individuals whose privacy is at the high risk of data being exposed. Of course, there is also a get-out clause concerning the potential for hazards. If they are not weighted as the attack on the rights and freedoms of people, then one may avoid reporting to the supervising authority.

GDPR compliance certification

There is no actual GDPR compliance certification organization recognized on the government level per se. Each country has its governmental regulator acting as a technological ombudsman on issues relating the protection of personal information and freedom of information mostly within the digital environment. It is recommended the European companies getting assisted with the employed Data Protection Officer (DPO) an external consultant who has sufficient knowledge in data protection and who is placed to oversee a high degree of compliance with rules of data processing. An appointed DPO is required in case of a large scale of data processing.

Given the fact that numerous agencies which offer certification are not qualified because there is no institution, the responsibility falls heavily on the shoulders of companies themselves.

We have acquainted you with the GDPR key points as of now. We know that our readers wonder if outsourcing software vendors from the Eastern Europe IT hub are ready to abide by the rules being short of coming into effect soon. Below we will consider in detail the course of actions to be held according to the GDPR compliance timeline. The aim is to enumerate advisable steps to be undertaken by companies.

The GDPR compliance checklist is:

1. Scrutiny. It will be good to start with a thorough analysis of blind spots if any. Security and data privacy observance have to be revised and improved for the updated regulations. Particular attention here is paid to the systems ensuring the safety data cross-border exchange. In this case, a roadmap of improvements will facilitate the process.

2. Audit. The ownership of the company should have a clear understanding of the data entrusted to be processed and controlled in order to build a strong GDPR strategy. For outsourcing companies, it means to ensure a sufficient data protection policy based on the understanding and responsibility. The audit should be internal (in-house activity about data processing of the EU customers) and external (checking third-parties as AWS, payment, tax, and shipping providers, etc.).

3. Data identification. Classifying data by category of risks is prudent. Both clients (controllers) and providers (processors) should know the types of data and prioritize them according to the sensitivity. It helps to streamline data management according to retain policies and remove files deemed unnecessary in time.

4. Point person. Companies which work with a large scope of data should get assisted by a compliance officer responsible for keeping updated the company management concerning the GDPR rules and raise the awareness across the company. It is advisable for outsourcing vendors to match the efforts with their customers with the help of in-house Lawyer and Security Analyst. The name of position may differ from company to company and sound as Tech Lead/Team Lead, CTO or System Architect.

5. Third-party vendors shouldn’t be left out too. Data controllers should check if their current providers adhere to the regulations. The role of outsourcing companies here is equally important too because they implement external solutions and may advise the right steps.

6. Staff training. The new Regulation requires a company-wide commitment. As well as the European companies, the outsourcing firms are expected to hold training sessions for their staff in order to prepare them for ensuring respect for the law. It concerns distributed development teams located beyond the EU area as well.

Measures Aimprosoft undertook to be compliant

First of all, we would like to pay your attention that not every project Aimprosoft copes with falls under the GDPR compliance documentation. Those containing personal information of EU citizens are receiving the active attention while dealing with data remotely. The rest are developed with respect to the concluded agreements with each client individually.

Legal background

In the projects Aimprosoft falls within the scope of the provision we undertake the following:

Upon request of our clients, we sign an agreement to keep non-disclosure of personal data of the end customers of the system.
Aimporosoft has updated Data Processing Agreements signed with each employee on the data retention policy issues.
The procedure of proceeding the requests to access confidential information is implemented with respect to the GDPR.
The strategy of the company on improving access to the confidential information and data retention policy is approved.
The policy to prevent users from unauthorized access to the personal data is approved.
It is developed a plan to train employees on GDPR.
Data Protection Officer was assigned to follow up on the commitments made by Aimprosoft to the clients.

Technical background

Aimprosoft has worked on the effort to become technologically compliant with the GDPR. The actions that have been taken:

audit and test security of our systems were updated;
personal data and confidential information encryption was improved by the requirements of GDPR;
antivirus software was updated;
effective traffic scanning and firewalls were implemented;
a password policy was improved and became more strict and fully complied with the Regulation.

Privacy by design at Aimprosoft

When designing the system, one needs to be paranoid and do three things:

clarify the roles;
invest nobody with full authority;
encrypt all sensible information.

Files and passwords are hashed, and the protection of the system is set out according to the OWASP that defines the system as reliable.

Aimprosoft’s key software technologies Liferay, Alfresco, and SAP Hybris are GDPR compliant

We have been working with Liferay, Alfresco and SAP solutions over 13 years holding a finger on the pulse. This time we treated the same way. Our approach in partnership is to keep updated systems we develop based on the mentioned platforms. As a rule, we initiate migration to the higher version right away the minor version compliant with GDPR was released. As for SAP Hybris Commerce platform, it is GDPR-ready since v6.6. Other featured GDPR SAP solutions are SuccessFactor, Ariba, and Business One.

Alfresco, for example, chose the different way. They updated the Alfresco records management module and issued it as Alfresco governance services. The latest 2.7 version has features on working with records compliant with GDPR. It is easier to update one single module which is compatible with any Alfresco solution than to migrate to a higher version.

Liferay Inc. offers an open-source platform for enterprises with reliable data protection. A functionality of Liferay 7.0 DXP includes a series of application security GDPR-focused features but not limited to a granular control over the entire system, solid password encryption, and configurable password policies, single sign-on integration, and entitlement management system.

Conclusion

For the EU companies which outsource their IT development to non-EU providers, the compliance with GDPR is more vital. In its turn, outsourcing companies should not interpret the new regulation as a barrier and step aside. We appreciate human values and being a month away from the GDPR enforcement we did all that is needed to continue partnering in full respect for the law. And now answer yourself are you ready for GDPR?

Igor Chief Technical Officer, Aimprosoft

For more than fifteen years, Igor has been heading towards innovative technologies, gradually replenishing the arsenal of Aimprosoft capabilities with SAP Hybris, Liferay, Alfresco, and many other technologies. Possessing an extensive list of IT services, the company fully embodies the customer’s vision of digitization — a philosophy that Igor has been followed from the start. Constantly keeping his finger on the marketplace’s pulse, he predicts and successfully uses opportunities that only promise to become popular.

Julia Copywriter, PR manager

Julia is a confident master of the writing craft. She combines a unique experience across marketing and sales, which enables her to convey the message. Julia is extremely knowledgeable and open-minded, so she has an extensive skill set that includes conducting thoughtful and effective research and gathering valuable information. It enables Julia to grasp the entire business picture and create content brilliantly for the high-tech sector and B2B needs. Julia also delivers Aimprosoft's PR activities, managing cooperation with media and developing the company communications system.