GDPR – it’s a new buzzword we keep hearing nowadays. While it was initially addressed towards big players like Facebook, Google and LinkedIn – it also affects small businesses. If you’ve had the chance to check the requirements and penalties for noncompliance then you’ll likely understand where all the hype is coming from. The difficulty lies in the fact that if you have at least one client from the EU, you automatically fall under GDPR requirements.

While heavy fines and checks against small businesses are not expected right away, they may occur in the near future as the GDPR legislation grows in maturity and the various executive bodies become more comfortable with the new regulation.

If your system has design flaws or is similarly not prepared for the rigid GDPR requirements this can be cause for concern. However, when it’s designed with the right architecture, modular approach, well-known and transparent data flow, as well as a little common sense, the seemingly daunting task of compliance seems a little less imposing. The requirements in fact boil down to the following essentials:

  • Deployment to a GDPR compliant cloud;
  • Passing of a security test like OWASP or NCSC;
  • Compiling of a couple PI (Personally Identifiable) handling policy documents;
  • Updating of your privacy policy;
  • Completion of a simple form to allow ‘right to be forgotten’ requests processing.

Practices we’ve used here at Bekitzur for some time now have been designed around these techniques, and made it a straightforward matter to build compliance into the solutions we create for our customers from the get-go.

Based on the experience of doing it for quite a few clients, we’ve created a checklist which explains how we comply with each key requirement.

Checklist

Data

  • Your company has a list of all the types of personal information it holds, the source of that information, who you share it with, what you do with it and how long you will keep it.
  • Your company has a list of places where it keeps personal information and the ways data flows between them.

All of our projects go through a well-established onboarding pipeline with a known set of artifacts. We define and document domain and data model, storage, data flow and lifecycle from the early stages of the project.

All data that could be categorized as PI is modeled to be stored separately, so we avoid scattering it across pipeline/storages.

We use storage with the capability of data encryption and deploy only on secure infrastructure.

We prefer HA clusters, so we avoid issues with cold storages and backups.

Reference:

Accountability & Management

Create awareness among decision makers about GDPR guidelines
Train staff to be aware of data protection

We’re familiar enough with GDPR to say that currently this is only the initial phase and that changes will soon follow.

While many vendors say that they are GDPR certified, there is no known certification or recommended vendors list issued by the regulator.

Our core team members passed EU GDPR Foundation Training, which is probably the best option to raise GDPR awareness.

We can help your employee pass EU GDPR F and EU GDPR P or CIPP/E and become DPO.

We will consult your stakeholders on GDPR and guide you through the process. The main focus of GDPR is about how you treat PI, and we at Bekitzur are prepared to walk you through the process.

Reference:

Make sure your technical security is up to date

Maintaining data security is one of the key points in preventing PI leaks, that as per GDPR requirements should be reported to both the client and authorities.

Our CI/CD pipelines have built-in OWASP checks that guarantee early detection of security issues.

Reference:

You have a list of sub-processors and your privacy policy mentions your use of this sub-processor

Over the years we’ve created a list of trusted 3rd-party providers for many additional functionalities like SMS verification, Identity and Document verification, eSignature, etc.

Reference:

You report data breaches involving personal data to the local authorities and to the people (data subjects) involved

Any personal data breaches should be reported within 72 hours to the local authorities, including what data has been lost, what the consequences are and what countermeasures have been taken. Unless the data leaked was encrypted, you should also report the breach to the person (data subject) whose data you lost.

We are encrypting data storages (the file system is also encrypted), utilizing VPC with bastion and VPN, WAF, and other techniques to guarantee safety of any data including PI.

Reference:

  • GDPR Article 33 — Notification of a personal data breach to the supervisory authority
  • GDPR Article 34 — Communication of a personal data breach to the data subject

Customer Rights

  • Your customers can easily request access to their personal information
  • Your customers can easily update their own personal information to keep it accurate
  • Your customers can easily request deletion of their personal data
  • Your customers can easily request that you stop processing their data
  • Your customers can easily request that their data be delivered to themselves or a 3rd party
  • Your customers can easily object to profiling or automated decision making that could impact them

This part is generally known as ‘right to be forgotten’ and may be an issue if user data is scattered across the system. We always clusterize PI to make this easier.

We’ve also made a simple form for such requests that could be integrated with helpdesk or a task tracking system and processed manually or automatically, depending on the given situation.

Reference:

You automatically delete data that your business no longer has any use for

All systems we’ve built have a well defined data life cycle and an archive / cleanup procedure. Data is removed automatically when it’s no longer required.

Reference:

  • GDPR Article 5 — Principles relating to processing of personal data

Special Cases

You should only transfer data outside of the EU to countries that offer an appropriate level of protection

We are using only proven infrastructure providers, like AWS, that have data centers across the globe. Any data transfers, like cross data center replication, are secured and encrypted.

Reference:

Alex Ulyanov, CTO

Alex is an AWS Certified Professional Solution Architect and a seasoned cloud infrastructure leader. Working with the company’s top clients, including GE Digital, Zypmedia, Origami Logic, and ThinFilm, he has driven architectural innovation to unlock the performance and reliability of cloud environments for a wide range of applications. His extended team of practitioners help large and small companies alike design, build, manage, and grow successful cloud implementations.

View posts by

Talk to Us




Bekitzur—Amazon Partner Network Consulting Partner

CloudGeometry is a certified AWS Advanced Consulting Partner and cloud, apps, and systems migrations to AWS.

Learn more…