Get Ready for the General Data Protection Regulation (GDPR), with Data Virtualization
Reading Time: 5 minutes

The General Data Protection Regulation (GDPR) comes into force on 25 May 2018. The new legislation means that organizations will have to comply with more stringent requirements for the protection of personal data. In previous posts, we explained how to comply with the GDPR in a few steps, and why the GDPR means that you must collect less data or do so more effectively. Many organizations focus on procedural measures but have trouble complying with the GDPR on a technical level. In this post, we explain how data virtualization can help in that regard.

A Substantial Package of Requirements

Personal data spreads through your organization like wildfire. For example, when you receive an email that contains a client’s personal information, the email is stored on your email server. On top of that, backup and compliance copies are made. The compliance archive is also replicated. Before you know it, one person’s personal data is stored in numerous systems, in the cloud and on-premise. However, with the arrival of the GDPR, organizations are expected to protect personal data adequately, to know where data is stored, who has access to this data, and to have the ability to delete or anonymize data immediately, among other things. Many organizations’ systems are not equipped to handle this, and they find it incredibly difficult and time-consuming to locate and report on data and to monitor whether the company is compliant in this respect. Therefore, organizations are looking for smart solutions to the problem. It is almost impossible to manage the GDPR separately in each system. It would be best for organizations to be able to access to all personal data from a central point, without the need to develop a range of new systems. Data virtualization makes this a reality.

One Central Location

Data virtualization creates an abstract information layer, in which data from different sources is accessed, transformed, and integrated in real time, without duplicating anything. In other words, it provides organizations with a central “data counter” for access and management of personal data. In a previous blog, we explained how data virtualization works and how to create a good business case for data virtualization in four steps. Technical knowledge of the physical storage of data is not required when it comes to using the virtual layer. It is a user-friendly virtual data counter which enables your organization to comply with the GDPR, quickly and easily, without investing in new hardware or having to rebuild existing systems.

What Precisely Does the GDPR Entail?

The GDPR imposes a significant number of requirements on your organization. Some of these can be dealt with through procedural measures, but in many cases, the requirements are purely technical. We’ll list the requirements briefly:

• Personal data may only be collected for well-defined, explicitly described and justified purposes. The data must only be processed for those described purposes.
• The personal data must then be removed or rendered anonymous if the identification of a person is no longer required for these purposes.
• Personal data must be protected by sound technical and organizational measures.
• Organizations must always be able to give a person insight into which personal data, pertaining to him or her, it processes.
• It must be possible for an authorized individual to easily delete personal data.
• Privacy-enhancing measures must be used for the development of products or services.
• The involved person must be able to download his or her personal data in a comprehensible format.
• In addition to disclosing the purpose of personal data processing, organizations must also provide detailed information (to the extent needed) to guarantee proper and meticulous data processing.
• Organizations are obliged to report security breaches if there is a risk of serious negative consequences for privacy.

The GDPR imposes many requirements to guarantee personal privacy. A central data counter makes it much easier to comply with these requirements. The benefits of data virtualization, with respect to the GDPR, can be summarized in four points.

GDPR-data-virtualization

1. Access from a single point

With data virtualization, you create one central counter to monitor and manage the security and access all personal data, in a simple, but more importantly, compliant manner. Since the counter holds both data and metadata, it provides you with real-time insight into how sensitive information is secured. Thanks to the logbook, you also know what the original source is, which users have looked at the data, the purpose for which they viewed the data, and whether any changes were made. Moreover, it is possible to mask data, so users who lack the required login credentials cannot view the data. Rules like these can be applied to various systems.

2. Central authorization

Furthermore, you determine who in your organization will have access to which data, from one central point. This authorization is managed for all the different systems – in the cloud and on-premises. You can implement specific permissions in the virtual layer, on a line and/or column level, for instance. In other words, you can even decide who can and cannot see telephone numbers and addresses, per file. In addition, you can see who has viewed or altered which personal data, at a glance. The counter verifies users through existing protocols like LDAP, Kerberos pass-through, Windows SSO, OAuth, SPNEGO authentication, and JDBC/ODBC security. Data virtualization enables you to create advanced rules and to monitor, in detail, who has used or viewed the data.

3. Facilitating privacy by design

The GDPR requires your organization to have privacy by design built in. Alternatively, you could think hard about whether you really need personal data, while you develop your product or service. If you do need it, you must think about how you will secure this information. A major advantage of the data counter is that it facilitates privacy by design. You ensure the strict security measures for all personal data, in advance. New data can also be added to the virtual layer without a fuss. You can then subject the data to the same security checks and assign permissions.

4. Fewer versions of personal data

Thanks to data virtualization, you never need to make copies when users require data. The data counter works with the organization’s existing infrastructure. Even so, data can be offered to different users in various forms and formats, without having to duplicate the data. By offering data in a virtual, rather than a physical form, you prevent the creation of unnecessary versions of personal data and complying with GDPR becomes manageable.

Data virtualization is the ultimate solution when it comes to surmounting the technical challenges of the GDPR. It is necessary, too, because failing to comply with the GDPR puts your organization at risk for tens or hundreds of millions in fines. You can steer clear of these fines with data virtualization, which will enable you to recover your investment almost instantaneously.

When will you start using data virtualization to guarantee your clients’ privacy?

This blog was penned by Erik Leene and Alexander van Helm of Kadenza.

Kadenza