EU General Data Protection Regulation
Superseding the Data Protection Directive 95/46/EC, the EU General Data Protection Regulation 2016/679 (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union and the European Economic Area.
It aims to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The GDPR became enforceable on 25 May 2018. As the GDPR is a regulation, not a directive, it is binding and applicable. Violators of the GDPR may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater.
The GDPR sets out 6 key principles. Here is how the Osirium PxM Platform assists with each.
Article 5(1) requires that personal data shall be…
Lawfulness, fairness and transparency
"a) processed lawfully, fairly and in a transparent manner in relation to individuals;”
The first principle of GDPR – lawfulness, fairness and transparency – is truly the essence of GDPR. The way in which the PxM Platform helps companies respond to the other 5 GDPR principles provides the evidence for how we help demonstrate lawfulness, fairness and transparency.
“b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;”
Deciding on the purposes of data collection is for the organisation to decide. Companies must set a framework in which the data will be accessed, processed and eventually deleted. This is the organisation’s GDPR policy. The PxM Platform effectively work as a ‘policy enforcement’ product. Whilst many other products focus on protection, the PxM Platform goes beyond this, implementing policy whilst keeping human elements away from the most vulnerable methods of data access.
“c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;”
Principle 3 is a qualifier to the policy in principle 2. The ‘limited’ part of this principle is perfectly enforced by the PxM Platform’s Privileged Task Automation functionality. It is not always necessary for an individual to have full access to a database. For ex-ample, their work may require that they deal with the customer who is currently on the phone. Using the Privileged Task Management module of the PxM Platform, a task can be created whereby data is retrieved that is adequate, relevant and limited to the task at hand. This approach prevents either the individual, or anyone else who has stolen that individuals’ credentials, from stealing the whole database.
“d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;”
This is the part of the policy that relates to timeliness and accuracy. The PxM Platform can help where customer service provisioning is complex with many parameters. We’ve used task automation to limit access only to the minimum number of data and commands required to complete a piece of work, so that it restricts access only to sanitised commands, preventing human errors.
"e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;”
This relates to the underlying systems rather than what Osirium can do.
Integrity and confidentiality
“f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
At its core Osirium does two things:
1) ‘Identity In – Role Out’ -this approach speaks right to the essence of the sixth principle. Your organisation will be able to identify who has access to what even when ‘shared accounts’ are used. Identity gives a much better level of protection than giving humans access to privileged account credentials.
2) ‘Delegate the Task, not the Privilege’ - This is achieved through our Privileged Task Management module and is the strongest form of data security. Users no longer have direct access to systems, devices or applications. They cannot make bulk data copies or change underlying access rights.
One last thing… Accountability
Article 5(2) requires that: “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
The PxM Platform provides an overview of who can use what tools, on what systems, where, and when. This means that visualisation of the GDPR policy enforcement is straightforward. Article 5(2) is also a reminder that if you outsource data functions, your organisation is still responsible.
Industries linked to GDPR
The GDPR applies to all organisations located within the EU, and those outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. To this effect, it is relevant for all industries. You can visit our industry pages below: