GDPR: What is it all about?
The European Union’s General Data Protection Regulation (GDPR) officially comes into effect on May 25, 2018. The compliance deadline which was a long time coming is now only 1 short week away, and even in the final days, the affected portion of the business world has been buzzing with activities on the topic, aiming to fully understand and comply with this expansive new regulation. It’s no surprise, as the GDPR touches any and all organizations that are established in the EU and/or are processing personal data of EU-based individuals. It aims to standardize the framework for handling personal data, bringing new requirements for organizations and new rights for individuals.
To put it simply, the GDPR is about changing our collective, overall mindset about data privacy – what it is, who it belongs to, who is accountable for it, and what are the general requirements for dealing with it, plus the potential consequences for not dealing with it appropriately. The GDPR builds upon the 1995 EU Data Protection Directive, aiming to enhance that with the rapid technological expansion and change since then. It expressly introduces several new principles and concepts, ultimately aiming to motivate organizations to take more responsibility for protecting the personal data they handle.
ReconArt and GDPR
While every organization’s path to complying with GDPR is likely to be different (driven by factors like company size, type and amount of data it processes, current security and privacy measures, etc.), all relevant parties have specific responsibilities to analyze, implement, and maintain as part of GDPR compliance.
The ReconArt team has committed focus and resources on understanding GDPR requirements, assigning a dedicated team with Legal and Technical expertise to make the solution and all applicable processes compliant and ensure Client data is protected in accordance with the ISO27001 standard and GDPR requirements.
Best practices and efforts in security and data privacy have always been a top priority at ReconArt. As an ISO27001 certified organization, ReconArt already follows some of the most widely-accepted security and privacy standards and regulations in the world. According to “IAPP-OneTrust Research: Bridging ISO 27001 to GDPR”, there is significant overlap between ISO27001 and GDPR because at their core, they both aim for “reducing risk to people and organizations caused by misuse of personal data” and thus, “ISO 27001-certifed organizations are well positioned to respond to many GDPR priorities” especially in the areas of Breach notification, Vendor management, Recordkeeping, Privacy by design, and Data subject rights.
ReconArt rolled out a GDPR compliance strategy for our worldwide operations with primary focus on our operations and Clients in European Union. Below are some of the specific initiatives that took place in order to ensure compliance with GDPR requirements:
- Security by design: the ReconArt solution is designed in accordance with the ISO27001 standard, which mirrors many of the security and privacy requirements from GDPR
- We are committed to implement any additional security and privacy measures required under GDPR if such appear as part of, or addition to, the regulation
- Data transfers between Client and ReconArt environments are secured with encryption and use secured transfers.
- Dedicated Client ReconArt systems are accessible only from whitelisted Client networks
- Where appropriate, enterprise-class authentication tools can be integrated with ReconArt (Okta, OneLogin, Active Directory). This way even higher security standards, such as dual authentication, can be enforced
- EU Client data is stored in a secured data center in Europe. We use two Armor datacenters located in London and Amsterdam to host those systems
- As a processor, assisting with the security and privacy of the processing, including notifying controllers in the event of breaches
- Providing ReconArt support personnel who has access to Client data with the appropriate training for keeping the confidentiality and security of that data
- Holding any vendors (hosting partners) that handle personal data to the same standards as ReconArt.
- Through a GDPR-compliant Data Processing Addendum to our standard Agreement, obtaining from customers a classification of personal data used for reconciliation (if any) and taking the relevant measures to protect this data via technical and process-related activities.
- Carrying out data impact assessments and consulting with EU and local regulators where appropriate.
GDPR and ReconArt: Frequently Asked Questions
Does ReconArt process Personal Data on behalf of its customers?
By default, ReconArt uses low risk personal data like name, email and phone number to create logins for customers in the system. In case customers (Controllers) do not want to provide such personal data, they can use third party authentication method (Okta, OneLogin or Active Directory). In this case only a login will be needed in ReconArt, which does not contain personal data itself. The other details can be protected using pseudonymization in ReconArt as they are not needed for the login process. In case internal authentication is used, email is needed for system activities (e.g. password resets). All other fields are either optional or can be pseudonymized if the Client wishes to protect them.
ReconArt does not have information whether Clients use personal data as part of the data they choose to upload and reconcile in the system. To provide protection of this data, all personal data that is uploaded in the system has to be described by the customer with the appropriate classification. In this case, ReconArt will take the necessary measures to protect this data according to the GDPR requirements.
Where does ReconArt process my data?
Our hosted environments are hosted on a carefully selected third party data center – Armor (https://www.armor.com/) that holds a number of security certifications, including SSAE16, PCI, HIPAA, GDPR (https://www.armor.com/compliance/). For European customers, we use London and Amsterdam Armor locations to host the production environments. Test environments are hosted either on Armor as well, or within ReconArt’s own datacenter in Bulgaria.
How does ReconArt protect my data?
Production environments are protected via the following measures, addressing critical areas of GDPR compliance:
- Network :
- Intrusion Detection: detects malicious traffic that could result in data breaches
- Vulnerability Scanning: reduces attack surface by identifying improper configurations and missing patches/updates
- IP Reputation Management: effective first-line-of-defense in blocking IP addresses associated with threat actors
- Web Application Firewall: provide effective detection and blocking of traffic associated with malicious application behavior such as cross-site scripts, SQL injection.
- File Integrity Monitoring: monitors unauthorized changes to critical files
- O/S Patching: addresses O/S vulnerabilities
- Malware Protection: protects systems from viruses and malware
- O/S Log Management: records history of important O/S events for response and forensics investigations
- Security Dashboard: facilitates documentation of security posture and incident communication
- Incident Response: provides quick and prioritized response to incident
- Data security
- All backups are encrypted with enterprise class 256bit security algorithm.
Is it possible to anonymize or pseudonymize all personal data I am reconciling in ReconArt?
Yes, but this has to be done on the Controller (Client) side. ReconArt itself does not require any personal data at all for reconciliation purposes and to the best of our knowledge, only in rare cases low risk personal data can be used (e.g. partial names and addresses). The Client has full control to decide what data to load and in what form.
Is it possible to encrypt all personal data I am reconciling in ReconArt?
Yes, it’s technologically possible, however there are two aspects to consider:
- All data that is classified as personal has to be described and provided from the Client to ReconArt. After appropriate measures for data protection are agreed, ReconArt will implement them.
- Some methods for encryption on database level may limit some of the ReconArt functionality – for example, if string data is encrypted, then substring functions may not work as part of the reconciliation rules.
Can you guarantee that my data will stay in a certain location (e.g., Europe)?
Yes, ReconArt will place the production and test environments according to the location of the customer and data protection requirements. Customers from United States will have their data located in the US and our customers outside US and EU will have systems located in Armor data center that will provide best performance, unless otherwise required.
What security related certifications does ReconArt have?
ReconArt is ISO27001 certified within the European subsidiary. The same processes are rolled out and implemented in the US office where the certification process is in progress and will be completed by the end of 2018.
ReconArt recommendations for our Clients (Controllers)
It is important that our Clients, as Data Controllers, are aware of their own obligations under GDPR – these tend to be more expansive than those for entities considered “Processors”. Due to the nature of ReconArt’s offering and the fact that, for the most part, our Clients manage their ReconArt systems independently, mutual efforts are needed to ensure GDPR compliance in the event private data will be used. This includes the Client’s proper outlining and classifying of the personal data so that ReconArt can ensure the proper GDPR compliance measures are taken to protect it.
No provider can figure out GDPR compliance on your behalf
It’s important to treat GDPR not purely as a legal issue that can be solved by an appropriate Data Processing Agreement, but as a comprehensive matter that touches many aspects of the business. Every organization needs to complete its own legal, technical, and operational analysis to fully understand GDPR and its own role in it, and to implement it comprehensively. It is recommended that this analysis include internal resources as well as independent expertise, and that ultimately it produces a compliance strategy.
Understand your data
As a Data Controller, it is solely your responsibility to fully understand and document the nature, purpose, and risk level of the private data you are collecting. Ultimately, the GDPR is all about understanding your data and designing your approach to security around it – and only you are in a position to do this. For starters, this is a great opportunity to eliminate or minimize the use of personal data in processes that do not actually require it, such as reconciliation. Consider all the tools at your disposal to accomplish this. If private data must be used, there should be a good reason, which will be documented in the DPA.
According to this GDPR:REPORT article from June 2017, “whilst cyber-attacks resulting in data breaches dominate the headlines, the majority of data breaches occur due to human error – be it a dropped memory stick, sending something to the wrong e-mail address, not following a firm wide policy on encrypting data or not taking care of paper files whilst out of the office”. It’s very important to prioritize comprehensive employee education on GDPR concepts and best practices around data privacy and security. There are so many easily accessible resources out there in the form of online courses, webinars, and other materials that can assist you with this – consider making employee training an on-going concept with monthly recurrence rather than a once-off thing.
Contact: If you have any questions, please contact us at firstname.lastname@example.org
Disclaimer: The purpose of this write-up is to share ReconArt’s measures for GDPR compliance and provide helpful guidance to interested parties. It is not a comprehensive solution or legal advice for GDPR. Each organization should undertake their own steps to ensure compliance.