WHITE PAPER. Meeting GDPR Challenges with Delphix. KuppingerCole Report

Transcription

1 KuppingerCole Report WHITE PAPER by Mike Small December 2017 GDPR introduces stringent controls over the processing of PII relating to people resident in the EU with high penalties for non-compliance. Compliance requires costly controls that can be justified for processing of PII with direct business benefits. However, using PII for non-production purposes such as development and test, incur the same risks and need the same costly controls. Organizations can avoid these risks and costs by using data masking techniques to remove PII from data used for non-production purposes. The Delphix Dynamic Data Platform can help organizations to reduce the costs and risks associated with this use of personal data. by Mike Small December 2017

2 Content 1 Executive Summary and Highlight GDPR: Background and Overview GDPR and Non-Production Data Recommendations Copyright Related Research Documents Leadership Brief: Six Key Actions to Prepare for GDPR Advisory Note: Maturity Level Matrix for GDPR Readiness Leadership Brief: Cloud Provider Codes of Conduct and GDPR The Importance of Consent Management: CIAM vs. GDPR There Is No Such Thing as GDPR-Compliant Software or SaaS Solution GDPR and PSD2: Challenges and Opportunities for CIAM Please! No More GDPR Related Blog Posts! Page 2 of 12

3 1 Executive Summary and Highlights The EU GDPR (General Data Protection Regulation), which becomes effective on May 25th, 2018, will affect organizations worldwide that hold or process personal data relating to people resident in the European Union. The definition of both personal data and processing under GDPR are very broad, and processing is only considered to be lawful if it meets a set of strict criteria. GDPR also gives the data subjects extended rights to access, correct and erase their personal data, as well as to withdraw consent to its use. The sanctions for non-compliance are very severe with penalties of up to 4% of annual worldwide turnover. Critically, the organization that collects the personal data, called the Data Controller, is responsible for both implementing and demonstrating compliance. KuppingerCole has identified six immediate actions that organizations holding personal data need to take to ensure compliance with this regulation when it comes into force; these are: 1) discover the personal data held; 2) implement controls on how this data is processed; 3) ensure processing meets data subjects rights; 4) assure that outsourced processing is compliant; 5) update and test the processes for managing a data breach to include the new requirements for notification; 6) implement data protection by design and default. While most organizations will be aware of where personal data is used as part of their normal business operations, many use this data indirectly, for example as part of test and development activities. Because of the wide definition of processing given in GDPR, this use is also covered by the regulation. The Data Controller is responsible to demonstrate that this use of personal data is fair and lawful. If this can be shown, then the Data Controller will also need to be able to show that this processing complies with all the other data protection requirements. However, organizations can avoid these risks and costs by using data masking techniques to remove personal data where it is not needed for business purposes. GDPR accepts the use of pseudonymisation as an approach to data protection by design and default. In addition, the Data Controller can take account of the existence of appropriate safeguards, which may include encryption or pseudonymisation, when considering processing the data for purposes other than that for which it was collected. However, there is still an element of risk relating to the reversibility of this form of protection. The Data Controller must manage this risk by the appropriate choice of tools. The Delphix Dynamic Data Platform enables organizations to discover, manage and secure personal data used for non-production purposes in a way that complies with GDPR. Its data discovery service can identify sensitive data, that comes within the scope of GDPR, held in a wide variety of data sources. It provides governance and control over the distribution of non-production data allowing where it is used to be managed. It can anonymize personal data in a way that removes the data from the scope of GDPR while still retaining the relationships that make it useful for development and testing. In summary, the Delphix Dynamic Data Platform, where correctly used, can help organizations to reduce the costs and risks associated with the use of personal data for non-production purposes when GDPR comes into force. Page 3 of 12

4 2 GDPR: Background and Overview The EU GDPR, which becomes effective on May 25 th, 2018, imposes a much tougher regulatory framework and will affect organizations worldwide that hold or process personal data relating to residents in the European Union. The existing EU data protection framework has evolved over time. The current framework was defined as an EU Directive (EC/95/46) 1 in 1995 and was subject to interpretation by the individual member states. This will change on May 25 th, 2018 when the EU General Data Protection Regulation 2 comes into force. GDPR imposes a much tougher data protection framework and, since it is a regulation, it removes the differences in interpretations that had developed between the EU member states. GDPR defines personal data as any information relating natural person living in the EU that can be identified directly or indirectly. It includes specific references to: identification number, location data, online identifier, and any factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. GDPR retains the existing definitions for Data Controller and Data Processor. The Data Controller is the organization that defines the purpose for collecting and processing of personal data. The Data Processor is the organization that processes personal data on behalf of the Data Controller. The definition of processing is very broad, it covers any operation that is performed on personal data or on sets of personal data, whether or not it is automated. It includes everything from the initial collection of personal data through to its final deletion. Processing covers every operation on personal data including: storage, alteration, retrieval, use, transmission, dissemination or otherwise making available. The definition of personal data is very wide ranging, and the definition of processing is also very broad. GDPR defines a set of principles governing how personal data must be processed in Article 5. These principles require that both Data Controllers and Data Processors act lawfully, fairly and transparently. That personal data shall only be used for the purposes for which it was collected and must be relevant to the purpose while being the minimum necessary. It should be kept up to date and deleted when no longer necessary. Critically, the burden of proof to demonstrate compliance with these principles lies with the Data Controller. Processing of personal data is only lawful if it satisfies one of the conditions set out in Article 6. These include: with explicit consent from the data subject for that use; for the performance of a contract or 1 EUR-Lex L EN - EUR-Lex 2 EUR-Lex R EN - EUR-Lex Page 4 of 12

5 legal obligation; to protect the vital interests of the data subject; for a task in the public interest; or where processing is necessary for the legitimate interests of the controller. The data subject has rights to access, correct and erase their personal data as well as to withdraw consent to its use. GDPR sets out several rights that the data subject has in relation to their data. These rights include: the right to have confirmation from the Data Controller as to whether or not their personal data are being processed, and, where that is the case, access to their data; the right to the rectification of inaccuracies; the right to withdraw consent; and the right to have their personal data erased. The sanctions for non-compliance are very severe with penalties of up to 4% of annual worldwide turnover. GDPR sets out the sanctions to be applied to organizations that fail to comply with the regulation in Article 83. These depend upon the circumstances of the individual case and the degree of negligence involved. Two levels of penalty are defined: up to the larger of 2% of annual worldwide turnover or 10 Million Euro for internal matters; up to the larger of 4% of annual worldwide turnover or 20 Million Euros for breaching the principles, consent, subject rights or data transfers. KuppingerCole has defined 6 key actions organizations need to take to prepare for GDPR. The 6 key actions 3 to prepare for GDPR are: 1) discover the personal data held; 2) implement controls on how this data is processed; 3) ensure processing meets data subjects rights; 4) assure that outsourced processing is compliant; 5) update and test the processes for managing a data breach to include the new requirements for notification; 6) implement data protection by design and default. 3 Leadership Brief: Six Key Actions to Prepare for GDPR KuppingerCole Page 5 of 12

6 3 GDPR and Non-Production Data The Data Controller is responsible to demonstrate that the use of personal data for non-production purposes is fair and lawful. If this can be shown, then the Data Controller will also need to be able to show that the non-production processing complies with all the other data protection requirements. Organizations that use personal data as part of their normal operation will clearly need to take account of GDPR. However, many organizations use personal data indirectly, for example as part of test and development activities, and, because of the wide definition of processing given in GDPR, this use is also covered by the regulation. While the marketing and customer facing functions within the organization may have prepared for compliance with GDPR, the back-office functions may not even be aware of the regulation. Furthermore, an organizational strategy for digital transformation can lead to intensive IT development needs which may then be outsourced. The personal data used for non-production activities may then proliferate outside of the control of organization. However, the responsibility for compliance, together with penalties for misuse, remain with the Data Controller. For example, a database or file that contains personal data may be needed as test data for a new marketing mobile app that is being developed by a third party. To facilitate this development a copy of this data may be uploaded into a cloud service. During its use, the data may be visible to the development team creating risks of leakage. The development team may take further copies of the data and these copies may then be further transferred without the knowledge of the Data Controller. All of these activities are covered by the definition of processing within GDPR. If the Data Controller cannot demonstrate that the non-production use is fair and lawful, or even worse, if the organization is not even aware that the data is being used in this way, it may be subject to the sanctions defined in GDPR. Therefore, the principles of GDPR would apply to this use of the data and it will be up to the Data Controller to demonstrate conformance with the principles. This raises a serious challenge how can the Data Controller justify the use of the personal data for development and test purposes? Can the Data Controller show that this processing satisfies one of the conditions in Article 6? If the Data Controller can justify that this non-production processing is fair and lawful then all the GDPR data protection requirements apply to that processing. All the GDPR data protection requirements that apply to the use of personal data for business purposes will also apply to the non-production use of that data. For example: Page 6 of 12

7 Making and distributing copies of personal data adds to the risk of its loss, leakage and unauthorized access. To meet the requirements of Articles 32 and 35 Data Protection Impact Assessments that cover this use may be needed. Using a third party to perform development and test using personal data is subject to the same rules as using a hosting or cloud service to process the data. These require a written legal agreement as set out in Article 28 (3). The data subject rights would apply to the non-production copies and processing of the personal data including: disclosure, rectification and erasure of all copies of the data. In addition, the consent management processes would need to extend to all nonproduction copies and processing of the data. The policies, processes, procedures and technology to detect, report and manage data breaches would need to be extended to include all the non-production copies and processing of the personal data. A better alternative is to avoid the problem altogether using techniques to anonymize the personal data in non-production use. While the costs and complexities of compliance with GDPR may be justified by the benefits from using personal data for normal business processes this is unlikely to be the case for its non-production use. However, the GDPR provides a way to legitimately avoid the need for compliance. According to GDPR (Recital 26), the principles of data protection should not apply to anonymous information, that is information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not identifiable. One approach is known as pseudonymisation, and GDPR accepts the use of pseudonymisation as an approach to data protection by design and data protection by default. (Recital 78). Pseudonymisation is defined in Article 4 as the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information... with the additional proviso that the additional information is kept separate and well protected. In addition, Under Article 6 (4)(e), the Data Controller can take account of the existence of appropriate safeguards, which may include encryption or pseudonymisation, when considering whether processing for another purpose is compatible with the purpose for which the personal data were initially collected and the processing for another purpose. However, the provisos introduce an element of risk for the Data Controller relating to the reversibility of the process and protection of any additional information that could be used identify individuals from the pseudonymized data. Pseudonymisation is encouraged as a way to implement data protection by design and default but there is a residual risk for the Data Controller who needs to manage this by the appropriate choice of tools. Page 7 of 12

8 4 The Delphix Dynamic Data Platform enables organizations to discover, manage and secure personal data used for non-production purposes in a way that complies with GDPR. As a first step to compliance with GDPR, an organization needs to have an inventory of all the personal data it holds. Building this inventory may involve manual or automated processes to discover the all data sources that exist and the data that they hold. The Delphix Dynamic Data Platform holds a library of production data sources and then acts as the mechanism by which data copies are created and distributed to non-production or development environments. The Delphix Dynamic Data Platform can identify sensitive data, and information that comes within the scope of GDPR, that is held in these data sources through its data discovery service. This service comes with a set of preconfigured profiler-sets that identify sensitive data. These profiler-sets include GDPR as well as other regulations such as PCI-DSS and HIPAA. The Delphix Dynamic Data Platform supports the discovery of personal data. An organization can extend the built-in profiler-sets and create ones to match their own policies defining what information is considered sensitive. The user can define the data patterns that identify fields needing to be treated as sensitive using the JAVA regular expression language. The use of doublebyte language character sets as well as European language characters is supported. The sensitive data can be identified through searching metadata, such as Oracle catalogue, as well as data held in the data source. Once the data sources and sensitive data have been identified the Delphix Dynamic Data Platform can secure the sensitive data using data masking and control where, when and to whom this data is distributed. The profiler-set defines the default masking algorithm to be used and whether the data is to be masked immediately. These defaults can be changed using the GUI. The sensitive data identified by the profiling process is secured using data masking. This replaces the sensitive data in the data which is distributed with data that is structurally similar and realistic. The replacement uses proven cryptographic techniques that ensure the replacement process is irreversible. Since the process is irreversible this masked data is considered by GDPR to be anonymized and is therefore outside the scope of the regulation. The Delphix Dynamic Data Platform can anonymize personal data and remove it from the scope of GDPR. The Delphix Dynamic Data Platform provides two basic approaches to data masking with 7 different techniques and 32 algorithms delivered out-of-the-box. These algorithms retain consistency between Page 8 of 12

9 data sources so that the same data from different sources is altered in the same way. Figure 1 illustrates the result of masking the first names of people two data sources. In this case George in the claimant table is the same person as George in the employee table and so the masked data for George in each of these is the same. Figure 1: Illustration of Data Masking There may be some cases where it is necessary to be able to reverse the masking process and the Delphix Platform includes a tokenization option to cater for this. When tokenization is used a record is kept of the token used to replace each data value. Therefore, tokenized data is only as secure as the token database and so is not anonymized for the purposes of GDPR compliance. Figure 2: Delphix Control over Data Copying The Delphix Dynamic Data Platform governs and controls the distribution of nonproduction data. Page 9 of 12

10 In order to control and yet to facilitate the copying and distribution of data for non-production purposes the Delphix Dynamic Data Platform collects a copy of production data and then keeps it in sync as changes occur. Using this synchronized copy, it creates complete and current virtual copies of the masked data on demand. This ensures full control over all non-production data; and, since there is only a single real copy of this data, it significantly reduces the potential attack surface. It also provides control and governance through a complete record of where any virtual copies reside and who can access them. These virtual copies could be on-premises, with partners or in cloud services. This is illustrated in Figure 2. The Delphix Dynamic Platform also includes controls over the access to data and operations that individuals can perform. This platform provides an organization with a choice when it comes to the use of personal data for non-production purposes. It can use masking to anonymize the personal data and hence remove it from the scope of GDPR. Alternatively, if it chooses to retain the personal data in a form which is subject to GDPR, it provides the means to implement and demonstrate controls. The Delphix Dynamic Data Platform can reduce the costs and risks associated with the use of personal data for non-production purposes when GDPR comes into force. 5 Recommendations GDPR will come into force in May 2018, organizations need to take steps now to ensure compliance. These should include a review of the maturity of their organizational readiness including consideration of their use of PII for non-productions purposes. The use of PII for non-productions processes should be strictly controlled and where possible this data should be anonymized. Many organization are using personal data for non-production purposes such as development and test. GDPR defines personal data and processing in such broad terms that, when GDPR comes into force in May 2018, non-production use of this data will fall within its scope. Therefore, organizations need to take steps immediately to manage the risks of non-compliance. These steps should include ensuring that their policies, processes and technologies are updated to cover the wide scope of personal data and processing as defined in this regulation. KuppingerCole strongly recommends regular reviews of the current state of IT projects and programs. This includes the review for maturity in the areas of compliance with regulatory or industry-specific regulations or frameworks. The KuppingerCole Maturity Level Matrixes for GDPR readiness 4 report provides support for such a review. The policies, processes and technologies that are relevant to GDPR are wide ranging. As well as covering normal production use of personal data, these should also cover its non-production use. The recommendations include: 4 Advisory Note: Maturity Level Matrix for GDPR Readiness Page 10 of 12

11 Discover all the personal data that in use within the organization including that used for non-production purposes. Classify personal data in a way that takes account of its sensitivity to allow its use to be controlled in accordance with GDPR. Implement controls over the personal data lifecycle covering how it is used and distributed within the organization, to partners and into cloud services. Implement data protection by design and default for personal data used for nonproduction purposes. Ideally personal data used for non-production purposes should be anonymized. Where personal data cannot be anonymized, implement controls to meet all the requirements of GDPR. To demonstrate compliance controls should provide evidence of why personal data is collected, where it flows, how it is used and when it is erased. Contracts with partners and suppliers holding or processing PII, should be reviewed to take account of GDPR requirements. Where personal data is used for non-production purposes, technology such as that provided by Delphix Dynamic Data Platform, to support the implementation of these controls is essential to reduce the costs and risks associated with compliance. 6 Copyright 2017 Kuppinger Cole Ltd. All rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them. Page 11 of 12

12 The Future of Information Security Today KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in relevant decision making processes. As a leading analyst company KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business. KuppingerCole, founded in 2004, is a global Analyst Company headquartered in Europe focusing on Information Security and Identity and Access Management (IAM). KuppingerCole stands for expertise, thought leadership, outstanding practical relevance, and a vendor-neutral view on the information security market segments, covering all relevant aspects like: Identity and Access Management (IAM), Governance & Auditing Tools, Cloud and Virtualization Security, Information Protection, Mobile as well as Software Security, System and Network Security, Security Monitoring, Analytics & Reporting, Governance, and Organization & Policies. For further information, please contact clients@kuppingercole.com Kuppinger Cole Ltd. Sonnenberger Strasse Wiesbaden Germany Phone +49 (211) Fax +49 (211)