GDPR - it’s a new buzzword we keep hearing nowadays. While it was initially addressed towards big players like Facebook, Google and LinkedIn - it also affects small businesses. If you’ve had the chance to check the requirements and penalties for noncompliance then you’ll likely understand where all the hype is coming from. The difficulty lies in the fact that if you have at least one client from the EU, you automatically fall under GDPR requirements.
While heavy fines and checks against small businesses are not expected right away, they may occur in the near future as the GDPR legislation grows in maturity and the various executive bodies become more comfortable with the new regulation.
If your system has design flaws or is similarly not prepared for the rigid GDPR requirements this can be cause for concern. However, when it’s designed with the right architecture, modular approach, well-known and transparent data flow, as well as a little common sense, the seemingly daunting task of compliance seems a little less imposing. The requirements in fact boil down to the following essentials:
- Deployment to a GDPR compliant cloud;
- Passing of a security test like OWASP or NCSC;
- Compiling of a couple PI (Personally Identifiable) handling policy documents;
- Updating of your privacy policy;
- Completion of a simple form to allow ‘right to be forgotten’ requests processing.
Practices we've used here at CloudGeometry for some time now have been designed around these techniques, and made it a straightforward matter to build compliance into the solutions we create for our customers from the get-go.
Based on the experience of doing it for quite a few clients, we’ve created a checklist which explains how we comply with each key requirement.
Checklist
Data
- Your company has a list of all the types of personal information it holds, the source of that information, who you share it with, what you do with it and how long you will keep it.
- Your company has a list of places where it keeps personal information and the ways data flows between them.
All of our projects go through a well-established onboarding pipeline with a known set of artifacts. We define and document domain and data model, storage, data flow and lifecycle from the early stages of the project.
All data that could be categorized as PI is modeled to be stored separately, so we avoid scattering it across pipeline/storages.
We use storage with the capability of data encryption and deploy only on secure infrastructure.
We prefer HA clusters, so we avoid issues with cold storages and backups.
Reference:
- GDPR Article 30 — Records of processing activities
Accountability & Management
Create awareness among decision makers about GDPR guidelines
Train staff to be aware of data protection
We’re familiar enough with GDPR to say that currently this is only the initial phase and that changes will soon follow.
While many vendors say that they are GDPR certified, there is no known certification or recommended vendors list issued by the regulator.
Our core team members passed EU GDPR Foundation Training, which is probably the best option to raise GDPR awareness.
We can help your employee pass EU GDPR F and EU GDPR P or CIPP/E and become DPO.
We will consult your stakeholders on GDPR and guide you through the process. The main focus of GDPR is about how you treat PI, and we at CloudGeometry are prepared to walk you through the process.
Reference:
- GDPR Article 25 — Data protection by design and by default
- GDPR Article 37 — Designation of the data protection officer
Make sure your technical security is up to date
Maintaining data security is one of the key points in preventing PI leaks, that as per GDPR requirements should be reported to both the client and authorities.
Our CI/CD pipelines have built-in OWASP checks that guarantee early detection of security issues.
Reference:
- GDPR Article 25 — Data protection by design and by default
You have a list of sub-processors and your privacy policy mentions your use of this sub-processor
Over the years we’ve created a list of trusted 3rd-party providers for many additional functionalities like SMS verification, Identity and Document verification, eSignature, etc.
Reference:
- GDPR Article 28 — Processor
You report data breaches involving personal data to the local authorities and to the people (data subjects) involved
Any personal data breaches should be reported within 72 hours to the local authorities, including what data has been lost, what the consequences are and what countermeasures have been taken. Unless the data leaked was encrypted, you should also report the breach to the person (data subject) whose data you lost.
We are encrypting data storages (the file system is also encrypted), utilizing VPC with bastion and VPN, WAF, and other techniques to guarantee safety of any data including PI.
Reference:
- GDPR Article 33 — Notification of a personal data breach to the supervisory authority
- GDPR Article 34 — Communication of a personal data breach to the data subject
Customer Rights
- Your customers can easily request access to their personal information
- Your customers can easily update their own personal information to keep it accurate
- Your customers can easily request deletion of their personal data
- Your customers can easily request that you stop processing their data
- Your customers can easily request that their data be delivered to themselves or a 3rd party
- Your customers can easily object to profiling or automated decision making that could impact them
This part is generally known as ‘right to be forgotten’ and may be an issue if user data is scattered across the system. We always clusterize PI to make this easier.
We’ve also made a simple form for such requests that could be integrated with helpdesk or a task tracking system and processed manually or automatically, depending on the given situation.
Reference:
- GDPR Article 15 — Right of access by the data subject
- GDPR Article 16 — Right to rectification
- GDPR Article 17 — Right to erasure (‘right to be forgotten’)
- GDPR Article 18 — Right to restriction of processing
- GDPR Article 20 — Right to data portability
- GDPR Article 22 — Automated individual decision-making, including profiling
You automatically delete data that your business no longer has any use for
All systems we’ve built have a well defined data life cycle and an archive / cleanup procedure. Data is removed automatically when it’s no longer required.
Reference:
- GDPR Article 5 — Principles relating to processing of personal data
Special Cases
You should only transfer data outside of the EU to countries that offer an appropriate level of protection
We are using only proven infrastructure providers, like AWS, that have data centers across the globe. Any data transfers, like cross data center replication, are secured and encrypted.
Reference:
- GDPR Article 45 — Transfers on the basis of an adequacy decision