The goal of the General Data Protection Regulation (GDPR), that will come into effect in May 2018, is to harmonize data protection across EU countries. It will require organizations handling EU residents’ data to implement a number of data protection measures including data anonymization, data pseudonymization, breach notification and trans-border data transfers, to name a few. And here we do not talk only about organizations from EU; all organizations around the world who store and manage personal data related to EU residents fall under this regulation. If you fail to comply with the GDPR you will be fined up to 4% of your turnover or 20 Mio. EUR whichever is higher! I will skip further legal ramifications and focus on some specific GDPR requirements.
Organizations that want to use their production data (containing personal data) for non-production purposes like testing, BI, knowledge management, marketing etc. are also required to comply with the GDPR.
It is now part of our daily business to answer questions from our clients and leads regarding GDPR. I actually expect that GDPR will be a main driver for data anonymization (data masking) solutions market in the next couple of years. Here are the questions most asked by our clients:
- How can you help us in achieving GDPR compliance?
- BizDataX is a data anonymization solution. Does it support pseudonymization techniques?
- Can you provide us with a set of GDPR requirements regarding personal data protection so we can enforce those in our testing environments?
- Are we covered with extensive NDA’s? (Clearly NOT)
All these questions need elaborating so let me start with the first one and continue in the next posts with the rest.
Achieving GDPR compliance
To achieve GDPR compliance one needs to implement a number of data privacy and data security measures, including business policies and procedures updates and even organization related cultural changes. Our focus here is the aspect of using personal data stored in production systems for secondary usage, i.e. in non-production environments.
A typical scenario would be to use production data for the testing purposes. According to a number of reports, a staggering 72% percent of organizations allow development and QA teams to access production data (see 2015 Annual State of DevOps report commissioned by Delphix). Both the benefits and the risks of using production data for testing purposes are obvious, so let’s see what has to be done to exploit the benefits and mitigate the risks.
To do it right and meet GDPR requirements, a number of steps need to be completed:
- Analyzing production data stores that need to be used for secondary usage
- What kind of personal data is stored there and in what format?
- Where exactly this personal data can be found?
- Is the same personal data spread across many data stores?
- Analyzing secondary usage scenarios
- Who is going to use this personal data, for what purposes and for how long?
- How is personal data going to be transformed in order to protect privacy?
- Can personal data be generated synthetically instead of being copied from the production?
- Is personal data going to be saved outside of production (backup, replication)?
- Is it good enough to have (a small) subset of production data for non-production purposes?
- Implementing personal data transformation rules
- Is personal data going to be anonymized or pseudonymized?
- Are (some) personal data transformation algorithms reversible?
- How much does it take to implement rules and create database clones that are ready for non-production purposes?
- Do you have reports in place that can provide insight on how personal data has been protected before the actual use in the non-production environment?
Ideally, to meet one of the GDPR requirements, an organisation has to prove that a production environment is clearly separated from non-production environments. That means that all personal data is anonymized and there is no way for an unauthorized person, who is able to access a non-production data store, to find out what data belongs to an actual natural person. In a real-world scenario, it takes a lot of time and resources to analyze data, implement rules and provide anonymized or pseudonymized data for secondary usage. With the BizDataX solution and the expertise of the BizDataX Professional Services team, the time and resources will be reduced to minimum allowing organizations to comply with GDPR in much less effort than expected.
Co-Owner, Member of the Board