The new European General Data Protection Regulation 2016/679 (GDPR) governs the protection and movement of personal data pertaining to EU citizens. Its impact can be felt across an entire organization, from employee practices and behaviors to contractual obligations with third parties and communication with the regulators.
Technology plays a key role as information governance and personal data security affect the whole architecture stack. This spans the underlying technology infrastructure to employees’ mobile devices.
The GDPR is based on six fundamental principles, in which personal information must be:
1. Processed fairly and lawfully
2. Collected and processed for specific, explicit, and legitimate purposes
3. Adequate, relevant, and not excessive
4. Accurate and up-to-date
5. Kept in identifiable form, no longer than necessary
6. Kept secure
While most EU countries already have data protection regulations, the GDPR unifies these disparate, local initiatives in a consolidated set of rules. As a result, organizations have to rethink their approach to managing personal information, which the regulation refers to as “Data Privacy by Design.”
Of the cloud vs. in the cloud
Security of information is an important aspect of data protection concerning several different layers of an IT architecture. As the GDPR becomes enforceable in May of 2018, all AWS services will comply with the regulation.
However, the AWS Shared Responsibility Model, lays a clear foundation for differentiating between the responsibilities of Amazon, versus these of their customers, when evaluating the security of a cloud solution. It is important for customers to understand and distinguish between the following:
• Security measures that AWS implements and operates pertain to the security of the cloud.
• Security measures that customers implement and operate, including the security of their customer content and applications running on AWS, pertain to security in the cloud.
Fig 1. AWS Shared Responsibility Model
Any personal data your organization decides to store or process using AWS services will be protected and secured while in the AWS Cloud. However, AWS cannot influence which personal data you are processing, how you are processing it, whether you have the authority to manage it, which users or third-parties have access, your desired retention time, or how you report it to the regulators. This is where Alfresco’s GDPR Framework can complement AWS security, by completing the top layer of the Shared Responsibility Model.
Operationalizing GDPR Compliance
Alfresco’s Digital Business Platform framework for the GDPR allows organizations to address over 20 different Articles of the regulation, with a single investment. Some of the guiding principles permit organizations to:
• Build an asset register of GDPR-sensitive information, both within and outside the repository
• Automatically set GDPR-related metadata covering sensitivity, regional restrictions, consent-status, and more
• Track legal bases and explicit consents for data processing, including easy search and reporting, for complete transparency
• Identify new or existing personal information across a range of locations and formats
• Ensure all information subject to the GDPR is identified, categorized, and monitored
• Restrict access only to users with legitimate justification for processing information
• Apply security controls and manage GDPR content for the complete lifecycle (from acquisition and processing to disposition)
• Automate the disposition of expired information or information that no longer has legal basis for processing
• Respond to subject requests of different types (e.g. access, consent withdrawal, erasure, rectification, portability, etc.)
• Manage time-sensitive processes such as breach notifications and impact assessments
• Provide complete auditability and transparency with full audit trails and documented processes
• Mange the complete lifecycle of internal policies, including authoring, review, approval, and certification
As the implementation deadline approaches, companies need to identify any personal information they hold, determine what controls apply and who is responsible. Effective information governance and business processes are essential to managing risk, and to meeting the regulation’s requirement for “Data Privacy by Design.”
Alfresco’s Digital Business Platform for AWS provides the framework of capabilities required to establish an ongoing GDPR program, while complementing AWS’s security and data protection features. It provides the ongoing security, automation, monitoring, and reporting functionality that data protection officers need to establish and maintain GDPR compliant practices across the enterprise.
For a more detailed discussion of your GDPR requirements, and a review of how Alfresco’s Digital Business Platform complements AWS services for GDPR, please contact George Parapadakis, firstname.lastname@example.org, Alfresco’s Director of Business Solutions Strategy.