The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. This regulation provides individuals (EU citizens) far more privacy, control, and protection of personal information. One aspect of GDPR driving lots of attention is the significant penalties for non-compliance – up to $23M or 4% of worldwide corporate revenue from the prior year, whichever is higher. And a misconception about GDPR is that this only applies to companies operating in the EU – it does not. Any company providing goods or services to a citizen of the EU or that gathers data on citizens of the EU must comply with the regulation or face these potential penalties.
A few GDPR introductory things to know:
- Personal data includes any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
- A Data Controller is the entity that determines the purposes, conditions and means of the processing of personal data.
- A Data Processor is an entity which processes personal data on behalf of the controller.
Most IBM clients act in the role of a Data Controller or Data Processor.
With GDPR, Data Subjects have a right to know what data is being kept about them, who this is shared with, and to request corrections or removal of their personal information. For more complete information on GDPR please see – the GDPR portal.
As companies have prepared for GDPR in their roles as Data Controller or Data Processor, a large focus has been on the security and processes managing the personal data in the various data stores (e.g. databases) that contain this type of information. Clearly, security around data stores is a critical aspect in meeting the GDPR regulation.
However, this is not sufficient. Data moves!
Many businesses have struggled over the years to obtain a single view of a customer. Why is this? Because multiple applications manage or contain parts of customer data – often duplicated across applications. With GDPR, gaining control over customer data is mandatory. The customer has the right to request incorrect data be corrected or removed from your company’s systems. This means everywhere. So, ensuring that the data is updated in all locations is critical and requires integration to resolve.
IBM App Connect enables organizations to achieve and maintain a single, accurate view of their data across all applications and systems, on-premise and in the cloud. If a data subject wants to view, update or delete their personal information, the data controller can quickly provide an accurate view or update of records across all platforms. App Connect’s extensive connectivity to any system or data, from SaaS applications to custom backend systems, enables data controllers to achieve this single view of their data across all their systems, removing the chance of data silos developing. Secure connectivity between cloud and on-premise applications ensures the protection of data in transit.
Messages protected by MQ Advanced/Appliance using end to end encryption are always encrypted between application endpoints ensuring that data is protected in transit and at rest, no matter how large and complex the network the data is shared over. Logging of data that moves through MQ is a standard feature, and protected data movement can be logged to track this movement. These logs can then be processed internally or shared to external services to demonstrate GDPR compliance. Many competitive messaging products. while encrypting data in transit, rely on disk encryption to protect data at rest. But, anyone with access to the disk has access to the data – a far less secure solution.
Do you move personal data in files? All data that is moved with Aspera (any of the on-premise products, SaaS offerings, or IBM products that integrate Aspera) is encrypted end-to-end over the wire and optionally at rest to protect personal information.
GDPR and the API Economy
One aspect of GDPR says that if you have shared personal information with other parties, then you need to be able to provide a list of who you have shared it with and drive these other companies to remove this data from their systems if requested to do so by the Data Subject. In a scenario where an EU customer opts in to being marketed to by a company’s partners, the company may share personal information (e.g. an e-mail address) via API with these partners. Many other scenarios (such as social media) may also use APIs to gather or process personal information.
IBM API Connect supports best practices around this type of scenario by enabling standard API templates implementing audit records for which partners have obtained the personal information. Notification APIs can be supplied to the partners if the information needs to be corrected or removed. The API Connect gateway (DataPower) securely transports data including data from external identity systems, delivered on a highly secure platform architecture.
IBM API Connect also supports rapid creation of Microservices which can be executed as part of the API invocation scenario to add new business logic required by GDPR.
As part of a GDPR solution businesses need to provide a UI for the Data Subject to view or request updates or deletion of their data. UI interactions with Systems of Record via APIs and Microservices is a rapid/frictionless approach to implementing the new required capabilities.
As your business focuses on GDPR compliance, do not simply look to secure the locations where data is stored. Data movement, sharing, and the processes around this are critical to compliance. IBM hybrid cloud integration product capabilities along with best practices can help your business meet the GDPR regulations.
To understand more about IBM’s thoughts on the API Economy visit the IBM API Economy website. IBM API Connect is IBM’s complete foundation to Create, Run, Manage, and Secure APIs. You can find more information about IBM API Connect at the API Connect website. And you can also experience a trial version of API Connect.
If you have questions, please let me know. Connect with me through comments here or via twitter @Arglick to continue the discussion.