Ready or not, General Data Protection Regulation (GDPR) is here. EU citizens now have far more control over their personal data thanks to these sweeping limits on their data’s storage, sharing and use. But don’t think this is just an EU thing. It applies to anyone offering goods or services to consumers or businesses in the EU— essentially every major corporation in the world.
And compliance does not end at the boundaries of your enterprise. Even after your customer data moves to third parties, from public cloud providers to email service providers, you still bear ultimate responsibility for its safekeeping.
With regulations of this magnitude, businesses generally fall into into three categories:
- Those taking rigorous action to comply fully and on time
- Those sticking their heads in the sand
- Those who tell themselves they’ve checked all the boxes, without looking under the hood
If you are a data “controller”—the company that owns the data and is ultimately responsible for GDPR compliance—you probably have one or more “processors” to whom you delegate data and/or processing responsibilities. These processors have probably shared lots of documentation demonstrating their GDPR compliance capabilities. However, it’s important to ensure this documentation matches what’s actually under the processor’s hood — from complete audit trails to data erasure, no matter where your data might end up in their infrastructure. To help you do so, here are five tough questions every data controller should ask their data processors.
1. Has the processor provided a detailed map showing how personal data is handled everywhere in the processor’s extended infrastructure?
If the processor’s map looks just like everyone else’s, that is not a good sign. The map should be extensive, highly specific and include things beyond the obvious. For example, it should show how the processor governs test data used in building reports on your behalf, or exactly how your data is isolated from that of their other customers.
2. Can the processor demonstrate that your data remains safe even when it passes into the hands of your processor’s own sub-processors—i.e. public cloud providers your processor relies on?
Inevitably, your processors will have their own third-party processors. It is not enough for your processor to say, “Don’t worry, our public cloud warehouse is GDPR-compliant.” Out-of-the-box GDPR compliance tools are a good place to begin, but in no way guarantee compliance for your data. Ensure the processor is taking all steps required to secure your unique data and use case.
3. Can the processor demonstrate compliance with GDPR’s data portability and fine-grained data erasure requirements?
Data erasure — the right for customers to be forgotten — and data portability are probably the two most stringent and technically challenging aspects of GDPR. Compliance is not just about moving or erasing rows of data in a single database. Data inevitably moves throughout the processor’s infrastructure, and that means capabilities to support erasure and portability must also extend to every touch-point. Have the processor walk you through the ways they address the challenge for each and every one of those touch-points.
4. Can the processor provide comprehensive audit trails that include every transaction involving personal data, wherever it ends up in their extended infrastructure?
It is not enough for the processor to handle personal data properly. They must be able to prove they have with comprehensive audit trails. This means reliably demonstrating exactly who is accessing what data—and when and how they access it. Ask processors to show that they can log every transaction—and make sure audit data is stored in a tier that is even more secure than the rest of the processor’s infrastructure, so it is not accidentally deleted.
5. Can the processor demonstrate that its own third-party processors are not accidentally receiving personal data?
Just as the processor must track and audit data wherever it moves through its own infrastructure as well as their own third-party processors, they must be able to show that your data cannot accidentally flow to those sub-processors. Proving that you did not do something wrong is just as, or even harder, to demonstrate than that you did everything right. Ask your processors to show you how they are meeting this requirement.
With the advent of GDPR, a great deal is at stake. Don’t just let processors tick the boxes for you. We hope these questions reveal why it is vital that you perform your own due diligence. After all, any failure on their part could ultimately fall on your shoulders.
About the Author
Nitay Joffe is the co-founder and CTO of ActionIQ, an enterprise customer data platform transforming the way companies leverage their customer data to provide highly personalized experiences. Prior to ActionIQ, Nitay was an instrumental engineer in Facebook’s data infrastructure initiatives, and a core contributor to open source projects HBase and Giraph. With Facebook, Powerset, and Google on his resume, Nitay has applied his expertise to elevating the big data landscape for companies revolutionizing the space. Nitay co-founded ActionIQ to explore his passion for innovation in databases, distributed systems, and big data.
Sign up for the free insideBIGDATA newsletter.
Speak Your Mind