GDPR — the new EU General Data Protection Regulation

11 min readJun 3, 2018

by Juarez Junior

Introduction

Over the past few weeks, I have been receiving many e-mail messages aimed at addressing the very same subject — GDPR. Basically, companies and institutions are currently asking for consent to store and use your personal data.

GDPR stands for General Data Protection Regulation. It supersedes a previous data protection framework under the Data Protection Directive (95/46/EC). The declared purpose of GDPR is to protect the personal data and rights of natural EU citizens so in practice it means stronger rights for individuals.

The new regulation is the result of cooperation between the European Parliament and the Council of the European Union. It became effective last Friday, the 25th of May, 2018, and it’s comprised of 99 articles and 173 recitals, which in turn translate into a large and complex law affecting any company or institution that needs to process the personal data of EU citizens, regardless of whether that company is based in the European Union. Even though Brexit is due effectively to happen in the next 12 months, GDPR will still apply to all UK-based businesses handling EU citizens’ data as well.

The EU citizens now can approach a company and ask for the right to be forgotten/have their data removed and they can request that at any time as per the law. They will have collective redress of abuses, opening up the possibility for class action lawsuits from individuals in case there are issues with their data.

Companies must obtain explicit Opt-In consent, they must address the Data Subject in a clear and direct way and ask for the right to use and retain the data only after approval, so it’s not an opt-out choice, an error in interpretation that is currently happening as companies start to communicate with their customers in order to talk about GDPR.

Organizations will be potentially subject to fines of up to €10 million or 2% (whichever is greater) of total worldwide annual turnover (a European term for global annual revenue) for breaches or €20 million or 4% of turnover (whichever is greater) of total worldwide annual for very serious breaches.

The law defines new statutory requirements for two core roles considered in the scope of GDPR — Data Controllers and Data Processors — as the two roles have joint liability.

So let’s define some roles in the scope of GDPR:

Data Controller: a company that uses the EU resident’s data;
Data Processor: a company or institution that processes the EU resident’s data in a given business process scenario;
Data Protection Authority: the European Union and the Local Authorities. There will be common enforcement Data Protection authorities and they will enforce in consultation with each other;
Data Subject — the EU resident;
Data — the EU resident’s data is to be protected.

The law also mandates that the data breach notification to the Data Protection Authority must happen within 72 hours and the communication to Data Subjects without undue delay.

For the purposes of this article, the explanation above may suffice and you can also check the full contents of GDPR.

Oracle Cloud Services and Solutions that can help address GDPR

We can now consider the implications of GDPR in relation to IT infrastructure, security and cybersecurity, IT governance, and obviously data protection requirements.

All companies and institutions that process and /or hold data must then provide the proper mechanisms of protection considering: 1) the transmission of data (data in motion); and 2) where the data resides (data at rest).

So a company can consider and implement the right security measures for its data stores (data at rest) by using the right databases and storage technology as well as it must also implement the right security measures for data transfers (data in motion) by means of the right security protocols and standards like TLS, HTTPS as privacy rights attach and follow data as it moves globally.

On top of that, there are so many aspects that must be considered so it’s crucial to work with an expert and competent Technology Consultant in order to help you identify the gaps in your IT solution and fully address your security needs toward an effective selection and implementation of such right services and security mechanisms.

Smart IT leaders can seize the opportunity and modernize and transform their IT solutions as they define a strategy to address GDPR compliance and alignment, so this is just the perfect opportunity to define a joint effort toward compliance and digital transformation.

That’s because, at the end of the day, GDPR means good IT and good security. So by looking at your environments and solutions both the physical and logical layers must have security properly and intrinsically implemented.

For a given IT solution, there are two initial steps that help to pursue compliance with GDPR: 1) changes in IT infrastructure, and 2) the modification and security hardening of existing applications.

With the right combination and composition of Cloud services like the ones provided by our Oracle Cloud Services (IaaS, PaaS, SaaS), data protection can be achieved by default in some services and for that, you need to have the best technology options at hand.

Security improvements can also be achieved by solution architecture design and composition efforts, that is, you can combine new, additional back-end services (middle-ware, databases, others) in order to modernize your application by following the well know best practices and methodologies for IT security and digital transformation.

The first and possibly easiest step towards compliance is to consider changes in the scope of IT infrastructure. With the right strategy choice and approach, you can modernize your infrastructure and platforms, and move to the cloud with an optimal lift and shift strategy, minimizing transition and downtime issues so that your existing solutions will finally run on top of solid, security-hardened software and hardware platforms.

So let’s talk more about Oracle Cloud and its services that can help address GDPR.

Cloud Services

The Oracle Cloud was developed to offer secure infrastructure and platform services that are used by Oracle customers to run their mission-critical enterprise workloads and store their data. Security is a top priority for Oracle Cloud solutions.

Oracle’s vision is to create the most secure and trusted public cloud infrastructure and platform services for enterprises and government organizations.

First and foremost then and speaking of hardware at the bottom layer, needless to say, is that Oracle software runs best on Oracle hardware.

Talking about the hardened hardware options that are the base of all Oracle Cloud Services, a good example of its unique security features is Oracle’s Software in Silicon technology that implements memory access validation directly into the processor so that you can protect application data that resides in memory, resulting in increased data security. Oracle has options that allow you to choose traditional on-premises deployment, public or private cloud behind your firewall, and always get the same set of world-class hardware choices.

You can check the following white paper for a complete explanation of Oracle Cloud Infrastructure and the GDPR.

Speaking of software platforms, let’s proceed and cite our enterprise hardened Operating Systems such as Solaris and also Oracle Linux, the one that uses the UEK — Unbreakable Enterprise Kernel, available to our IaaS (Infrastructure as a Service) Cloud solutions. I strongly advise you to check the Linux Kernel Development blog so that you can learn more about how solid our security-hardened Enterprise Linux Kernel is.

On top of such rock-solid infrastructure, we have enterprise-grade database solutions, middle-ware, and platform services that are part of our PaaS (Platform as a Service) Cloud and last but not least the comprehensive portfolio of SaaS (Software as a Service) Cloud applications.

In order to protect your data at rest, you’ll need hardened data stores as the ones that can be implemented by using the Oracle Database 18c available on our Oracle Database Cloud Service.

Just to mention, Oracle Database Advanced Security features have a number of mechanisms that can help address the GDPR requirements such as TDE — Transparent Data Encryption, Data Redaction, Data Masking, and others.

Let’s provide more information about some features so that you can explore them:

Transparent Data Encryption enables you to encrypt sensitive data such as Personal Identity Information (PII). Once the data is encrypted, the data can be transparently decrypted for authorized users or applications when they access the data. As we can conclude TDE is helpful to protect your data at rest.
Data Masking enables entire copies or subsets of application data to be extracted from the database, obfuscated, and shared with partners inside and outside of the business. The integrity of the database is preserved assuring the continuity of the applications.
Data Redaction provides the ability to redact (mask) sensitive data in real time by using different redaction types. Data Redaction enables you to move redaction capabilities out of applications and into the database, reducing the modification needs for some applications. It is somehow an easy way to protect sensitive data that is displayed in applications by replacing it on-the-fly with valid redacted data while keeping the applications running.

There are also other features and services in the scope of Database Security that can be combined in order to address the data in motion and data at rest requirements:

Oracle Database Vault has security controls that help organizations address GDPR compliance but also other data privacy laws and standards such as the Payment Card Industry Data Security Standard.

Other solutions that can be combined are part of Oracle Database Security features and products, including the Oracle Key Vault and Oracle Database Auditing.

Beyond those security features, your IT governance aspect can also be transformed and simplified because you do not need to worry about tedious, error-prone, and recurrent tasks like patching, performance tuning, and other operational tasks as you can leverage the cutting-edge AI features of our Oracle Autonomous Database, the world’s first “self-driving” database. This ground-breaking Oracle Database technology automates management to deliver unprecedented availability, performance, and security. It offers total automation based on machine learning and eliminates human error and manual tuning. If you’re curious enough and really want to understand how a database designed for 21st-century solutions operates, you check out the Oracle Autonomous Database announcement session.

In case you’re looking for more simplification and higher abstractions related to IT governance simplification the Oracle Cloud DBaaS is an option as well.

At last, important to cite is that nowadays we also have mobile devices with mobile databases (data at rest) so let’s not forget those as mobile applications and mobile databases must also use the right level of security controls and secure communication channels in place as supported by Oracle Mobile Cloud Service. The same applies to IoT and edge computing services where you can leverage the Oracle IoT Platform Cloud Service as well as increased security for API Integration and Management, a requirement fully addressed by our Oracle API Platform Cloud Service.

The specific, security-related Oracle Cloud services are Oracle Identity Cloud Service which helps to manage identities for hybrid access, authorization, authentication, provisioning, and SSO (Single Sign-On), and the Cloud Access Security Broker (CASB) which helps to implement consistent security policies across sanctioned SaaS, PaaS and IaaS environments.

Besides, the Oracle Management Cloud and the Security Monitoring and Analytics Service help to monitor, block, and audit security incidents across heterogeneous and hybrid cloud environments. In addition to that, the Configuration and Compliance Service implements and maintains continuous configuration and compliance for IT assets and enables you to assess, score and remediate violations using industry-standard benchmarks as well as your own custom rules, on your on-premises, cloud, or hybrid environments.

Speaking now about Applications, the modification and security hardening of existing applications may require a more elaborate and diligent approach depending on your previous choices and the current software applications you have. It will vary depending on transformation requirements if it’s needed to address existing out-of-the-box application software, standalone desktop app, or SaaS application. Beyond that, custom applications, the ones developed in-house with a software development platform must also be considered.

The first case is solved with the use of a SaaS application and Oracle has an extensive list of Oracle Cloud SaaS applications. Perhaps you can speed up the implementation of GDPR-related requirements by leveraging specific SaaS applications according to your needs and the Oracle Cloud offers the most complete, innovative, and proven cloud suite of SaaS applications that enable customers to transform their business. A number of partner applications are also available in our Marketplace.

On the other side, if you’re talking about custom applications based on the Java EE platform for example — which recently changed its designation name to Jakarta EE — you can use the Oracle Java Cloud Service (JCS) as it offers a full-fledged enterprise Java Application Server.

Just to give an example you can migrate easily from an open-source Servlet container like Tomcat to Oracle Java Cloud Service as it supports all the main enterprise JSRs — Java Specification Requests, the technical specifications that define the services available to a Java (Jakarta) EE application.

As an example of improved security in the scope of JCS, all data transfers can be performed via secure communication protocols such as HTTPS, TLS, JDBC over SSL, and other security protocols. You can secure the application environment for your Oracle Java Cloud Service instance by leveraging the robust WebLogic Server security options, Oracle Platform Security Service (OPSS), and Oracle Web Services Manager (OWSM) as shown here.

Other software development stacks and stacks are also covered by our Oracle Application Containers Cloud Services, a polyglot run time environment based on Docker containers that have options to run the LAMP stack, the MEAN stack as well as Python, Ruby, and even .NET stacks.

The Oracle Cloud Platform has an extensive list of services that you can choose to support your modern Cloud Native and Docker containers based solutions that implement the best options for agile DevOps, orchestration of Microservices, and the implementation of CI (Continuous Integration) / CD (Continuous Delivery) pipelines.

Such services can deliver the desired agility that results in lower IT costs, shorter times to market for your products and solutions, and phenomenal productivity for your software development teams.

Those are just examples of how you can redesign your application and software architectures using Oracle Cloud Services. In case you want to explore the business aspects of a modernization and transformation Journey to the Cloud, there’s an interesting and independent research study of 730 executives available to you — IT Leaders’ Insights on the Cloud — where you can find out about what should be your top 10 lessons, key findings, and your crucial priorities.

The report will help you visualize why the Oracle Cloud is a good choice to be Your Cloud Platform — the platform that can allow you to develop 12-factor applications that use the state-of-the-art cloud and solutions architectures in line with the technology advancements that are now mainstream in the 21 century. The exponential architectures are comprised of innovative services like AI, autonomous services, Big Data, IoT, Blockchain, and Cloud Native frameworks built to implement future-proof solutions.

Well, there are so many Oracle Cloud Services that we’ll definitely need additional blog posts to talk about them, so be on the watch for the upcoming posts about specific services where I’ll describe them in the context of modern cloud architecture solutions.

Wrapping up

To finalize our discussions about GDPR, the takeaway is that at the end of the day, you’ll need to analyze your current software architecture and software stack compositions, the use of Open-Source frameworks, and other aspects in order to gather the requirements and inputs that will allow you to determine the best way to approach the required modernization and security hardening towards better IT and better security.

The GDPR ultimately leaves the decision and responsibility to your organization as it will be needed to implement a security framework as well as to choose the appropriate measures that will ultimately guarantee the required security, integrity, availability, and resilience of data and systems.

Oracle Developers and Oracle OCI Free Tier

Join our Oracle Developers channel on Slack to discuss Microservices, Java, JDBC, Oracle Cloud Infrastructure, Oracle Database, and other topics!

Build, test, and deploy your applications on Oracle Cloud — for free! Get access to OCI Cloud Free Tier!