GDPR — the new EU General Data Protection Regulation
Over the past few weeks I have been receiving many e-mail messages aimed at addressing the very same subject — GDPR. Basically, companies and institutions are currently asking for consent to store and use your personal data.
GDPR stands for General Data Protection Regulation. It supersedes a previous data protection framework under the Data Protection Directive (95/46/EC). The declared purpose of GDPR is to protect the personal data and rights of natural EU citizens so in practice it means stronger rights for individuals.
The new regulation is the result of cooperation between the European Parliament and Council of the European Union. It became effective last Friday, the 25th of May, 2018 and it’s comprised by 99 articles and 173 recitals, which in turn translate into a large and complex law affecting any company or institution that needs to process personal data of EU citizens, regardless of whether that company is based in the European Union. Even though the Brexit is due effectively to happen in the next 12 months, GDPR will still apply to all UK based businesses handling EU citizens’ data as well.
The EU citizens now can approach a company and ask for the right to be forgotten / have their data removed and they can request that at any time as per the law. They will have collective redress of abuses, opening up the possibility for class action law suits from individuals in case there are issues with their data.
Companies must obtain an explicit Opt-In consent, they must address the Data Subject in a clear and direct way and ask for the right to use and retain the data only after approval, so it’s not an opt-out choice, an error in interpretation that is currently happening as companies start to communicate with their customers in order to talk about GDPR.
Organisations will be potentially subject to fines of up to €10 million or 2% (whichever is greater) of total worldwide annual turnover (an European term for global annual revenue) for breaches or €20 million or 4% turnover (whichever is greater) of total worldwide annual for very serious breaches.
The law defines new statutory requirements for two core roles considered in scope of GDPR — Data Controllers and Data Processors — as the two roles have joint liability.
So let’s define some roles in scope of GDPR:
- Data Controller: a company that uses the EU resident’s data;
- Data Processor: a company or institution that processes the EU resident’s data in a given business process scenario;
- Data Protection Authority: the European Union and the Local Authorities. There will be common enforcement Data Protection authorities and they will enforce in consultation with each other;
- Data Subject — the EU resident;
- Data — the EU resident’s data to be protected.
The law also mandates that the data breach notification to the Data Protection Authority must happen in 72 hours and the communication to Data Subjects without undue delay.
For the purposes of this article the explanation above may suffice and you can also check the full contents of GDPR.
Oracle Cloud Services and Solutions that can help address GDPR
We can now consider the implications of GDPR in relation to IT infrastructure, security and cybersecurity, IT governance and obviously data protection requirements.
All companies and institutions that process and /or hold data must then provide the proper mechanisms of protection considering: 1) the transmission of data (data in motion); and 2) where the data resides (data at rest).
So a company can consider and implement the right security measures for its data stores (data at rest) by using the right databases and storage technology as well as it must also implement the right security measures for data transfers (data in motion) by means of right security protocols and standards like TLS, HTTPS as privacy rights attach and follow data as it moves globally.
On top of that, there are so many aspects that must be considered so it’s crucial to work with an expert and competent Technology Consultant in order to help you identify the gaps in your IT solution and fully address your security needs towards the effective selection and implementation of such right services and security mechanisms.
Smart IT leaders can seize the opportunity and modernize and transform their IT solutions as they define a strategy to address GDPR compliance and alignment, so this is just the perfect opportunity to define a joint effort towards compliance and digital transformation.
That’s because at the end of the day, GDPR means good IT and good security. So by looking at your environments and solutions both the physical and logical layers must have security properly and intrinsically implemented.
For a given IT solution, there are two initial steps that help to pursue compliance with GDPR: 1) changes in IT infrastructure; and 2) the modification and security hardening of existing applications.
With the right combination and composition of Cloud services like the ones provided by our Oracle Cloud Services (IaaS, PaaS, SaaS), data protection can be achieved by default in some services and for that you need to have the best technology options at hand.
Security improvements can also be achieved by solution architecture design and composition efforts, that is, you can combine new, additional back-end services (middle-ware, databases, others) in order to modernize your application by following the well know best practices and methodologies for IT security and digital tranformation.
The first and possibly easiest step towards compliance is to consider changes in scope of IT infrastructure. With the right strategy choice and approach you can modernize your infrastructure and platforms, move to the cloud with and optimal lift and shift strategy, minimizing transition and downtime issues so that your existing solutions will finally run on top of solid, security hardened software and hardware platforms.
So let’s talk more about the Oracle Cloud Services and its services that can help address GDPR.
The Oracle Cloud was developed to offer secure infrastructure and platform services that are used by Oracle customers to run their mission-critical enterprise workloads and store their data. Security is a top priority for Oracle Cloud solutions.
Oracle’s vision is to create the most secure and trusted public cloud infrastructure and platform services for enterprises and government organizations.
First and foremost then and speaking of hardware at the bottom layer, needless to say is that Oracle software runs best on Oracle hardware.
Talking about the hardened hardware options that are the base of all Oracle Cloud Services, a good example of its unique security features is Oracle’s Software in Silicon technology that implements memory access validation directly into the processor so that you can protect application data that resides in memory, resulting in increased data security. Oracle has options that allow you to choose traditional on-premises deployment, public or private cloud behind your firewall and always get the same set of world-class hardware choices.
You can check the following white paper for a complete explanation of Oracle Cloud Infrastructure and the GDPR.
Speaking of software platforms, let’s proceed and cite our enterprise hardened Operating Systems such as Solaris and also Oracle Linux, the one that uses the UEK — Unbreakable Enterprise Kernel, available to our IaaS (Infrastructure as a Service) Cloud solutions. I strongly advise you to check the Linux Kernel Development blog so that you can learn more about how solid our security hardened Enterprise Linux Kernel is.
On top of such rock solid infrastructure, we have the enterprise grade database solutions, middle-ware and platform services that are part of our PaaS (Platform as a Service) Cloudand at last but not least the comprehensive portfolio of SaaS (Software as a Service) Cloudapplications.
Just to mention, Oracle Database Advanced Security features have a number of mechanisms that can help address the GDPR requirements such as TDE — Transparent Data Encryption, Data Redaction, Data Masking and others.
Let’s provide more information about some features so that you can explore them:
Transparent Data Encryption enables you to encrypt sensitive data such as Personal Identity Information (PII). Once the data is encrypted, the data can be transparently decrypted for authorized users or applications when they access the data. As we can conclude TDE is helpful to protect your data at rest.
Data Masking enables entire copies or subsets of application data to be extracted from the database, obfuscated, and shared with partners inside and outside of the business. The integrity of the database is preserved assuring the continuity of the applications.
Data Redaction provides the ability to redact (mask) sensitive data in real time by using different redaction types. Data Redaction enables you to move redaction capabilities out of applications and into the database, reducing the modification needs for some applications. It is somehow an easy way protect sensitive data that is displayed in applications by replacing it on-the-fly with valid redacted data, while keeping the applications running.
There are also other features and services in scope of Database Security that can be combined in order to address the data in motion and data at rest requirements as listed below:
Oracle Database Vault has security controls that help organizations address GDPR compliance but also other data privacy laws and standards such the Payment Card Industry Data Security Standard.
Beyond those security features, your IT governance aspect can also be transformed and simplified because you do not need to worry about tedious, error prone and recurrent tasks like patching, performance tuning and other operational tasks as you can leverage the cutting-edge AI features of our Oracle Autonomous Database, the world’s first “self-driving” database. This ground-breaking Oracle Database technology automates management to deliver unprecedented availability, performance, and security. It offers total automation based on machine learning and eliminates human error and manual tuning. If you’re curious enough and really want to understand how a database designed for 21 century solutions operates, you check the Oracle Autonomous Database announcement session.
In case you’re looking for more simplification and higher abstractions related to IT governance simplification the Oracle Cloud DBaaS is an option as well.
At last, important to cite is that nowadays we also have mobile devices with mobile databases (data at rest) so let’s not forget those as mobile applications and mobile databases must also use the right level of security controls and secure communication channels in place as supported by Oracle Mobile Cloud Service. The same applies to IoT and edge computing services where you can leverage the Oracle IoT Platform Cloud Service as well as increased security for API Integration and Management, a requirement fully addressed by our Oracle API Platform Cloud Service.
The specific, security related Oracle Cloud services are Oracle Identity Cloud Service that helps to manage identities for hybrid access, authorization, authentication, provisioning and SSO (Single Sign-On) and the Cloud Access Security Broker (CASB) that helps to implement consistent security policies across sanctioned SaaS, PaaS and IaaS environments.
Besides, the Oracle Management Cloud and the Security Monitoring and Analytics Servicehelp to monitor, block and audit security incidents across heterogeneous and hybrid cloud environments. In addition to that the Configuration and Compliance Service implements and maintains continuous configuration and compliance for IT assets and enables you to assess, score and remediate violations using industry standard benchmarks as well as your own custom rules, on your on-premises, cloud or hybrid environments.
Speaking now about Applications, the modification and security hardening of existing applications may require a more elaborate and diligent approach depending on your previous choices and the current software applications you have. It will vary depending on transformation requirements, if it’s needed to address existing out of the box application software, standalone desktop app or SaaS application. Beyond that, custom applications, the ones developed in-house with a software development platform must also be considered.
The first case be be solved with the use of a SaaS application and Oracle has an extensive list of Oracle Cloud SaaS applications. Perhaps you can speed up the implementation of GDPR related requirements by leveraging a specific SaaS applications according to your needs and the Oracle Cloud offers the most complete, innovative and proven cloud suite of SaaS applications that enable customers to transform their business. A number of partner applications are also available in our Marketplace.
On the other side, if you’re talking about custom applications based on the Java EE platformfor example — which recently changed its designation name to Jakarta EE — you can use the Oracle Java Cloud Service (JCS) as it offers a full-fledged enterprise Java Application Server.
Just to give an example you can migrate easily from an open-source Servlet container like Tomcat to Oracle Java Cloud Service as it supports all the main enterprise JSRs — Java Specification Requests, the technical specifications that define the services available to a Java (Jakarta) EE application.
As an example of improved security in scope of JCS, all data transfers can be performed via secure communication protocols such as HTTPS, TLS, JDBC over SSL and other secure protocols. You can secure the application environment for your Oracle Java Cloud Service instance by leveraging the robust WebLogic Server security options, Oracle Platform Security Service (OPSS), and Oracle Web Services Manager (OWSM) as shown here.
Other software development stacks and stacks are also covered by our Oracle Application Containers Cloud Services, a polyglot run time environment based on Docker containers that has options to run the LAMP stack, the MEAN stack as well as Python, Ruby and even .NET stacks.
The Oracle Cloud Platform has an extensive list of services that you can choose to support your modern Cloud Native and Docker containers based solutions that implement the best options for agile DevOps, orchestration of Microservices and the implementation of CI (Continuous Integration) / CD (Continuous Delivery) pipelines.
Such services can deliver the desired agility that results in lower IT costs, shorter times to market for your products and solutions and phenomenal productivity for your software development teams.
Those are just examples of how you can redesign your application and software architectures use the Oracle Cloud Services. In case you want to explore the business aspects of a modernization and transformation Journey to the Cloud, there’s an interesting and independent research study of 730 executives available to you — IT Leaders’ Insights on the Cloud — where you can find out about what should be your top 10 lessons, key findings and your crucial priorities.
The report will help you visualize why the Oracle Cloud is a good choice to be Your Cloud Platform — the platform that can allow you to develop 12-factor applications that use the state of the art cloud and solutions architectures in line with the technology advancements that are now mainstream in the 21 century. The exponential architectures that are comprised by innovative services like AI, autonomous services, Big Data, IoT, Blockchain and Cloud Native frameworks built to implement future proof solutions.
Well, there are so many Oracle Cloud Services that we’ll definitely need additional blog posts to talk about them, so be on the watch for the upcoming posts about specific services where I’ll describe them in context of modern cloud architecture solutions.
To finalize our discussions about GDPR, the takeaway is that at the end of the day, you’ll need to analyse your current software architecture and software stack compositions, the use of Open-Source frameworks and other aspects in order to gather the requirements and inputs that will allow you to determine the best way to approach the required modernization and security hardening towards better IT and better security.
The GDPR ultimately leaves the decision and responsibility to your organization as it will be needed to implement a security framework as well as to choose the appropriate measures that will ultimately guarantee the required security, integrity, availability and resilience of data and systems.
Give it a try! Get started with Oracle Cloud for free!
In conclusion, the Oracle Cloud has the best in class security solutions and services needed to achieve the level of security that will allow your business to move towards GDPR compliance as required. Oracle can support such efforts and our Technology Consultants can help your company with this journey to Cloud and towards GDPR compliance.
Avoid the sleepless nights that can result from bad IT, security issues and GDPR related risks! Still have doubts, why not give it a TRY?
Give it a try! Get Started with Oracle Cloud for Free!
*** All opinions are my own and do not reflect the views of my employer ***