The document outlines a 5 step plan to become compliant with GDPR and CCPA data protection laws:
1. Complete a Data Protection Impact Assessment to discover all personal data across systems.
2. Develop a remediation plan to encrypt personal data in key applications and files.
3. Begin remediation and testing by connecting encryption APIs to applications.
4. Ensure new personal data added is encrypted.
5. Prepare modified applications for production use after verifying no issues.
The goal is to protect personal data while maintaining business operations.
1. How to become GDPR & CCPA Compliant. Follow these steps to become sufficiently
compliant to avoid regulatory fines and public embarrassment brought about by a successful
data breach. Privacy by Design is what BigDataRevealed was built to deliver.
BigDataRevealed offers an application to assist in completing the following Steps
and was developed using only the most advanced languages and platforms; such as
Spark, Kafka, Java 8.0, Spring APIs, AngularJS, WildFly10, Apache Hadoop 3.1
and other advanced open source technologies, for the sole purpose of Data
Protection and Regulatory Requirements.
Our personal assessment is that most companies over
estimate their GDPR Readiness and haven’t developed
a viable plan or methodology to tackle the most
important aspect of Data Compliance; and that is
protecting their customer’s Personal Information. In
general, ‘protecting’ information has become
synonymous with encrypting personal information.
Hackers will always find a way to defeat your security
systems and obtain your data. However, that data will
have virtually no value to them, and cause no harm to
you, if the personal information is securely encrypted.
The ability to inform a customer of the information you
have collected about them, and the ability to remove
that information upon request, is important & complex,
but these two tasks are not the central tenet of GDPR.
Protecting customer’s Personal Information is what
GDPR is all about.
Following is a list of steps I feel will get you close enough
to GDPR, CCPA and most any Data Regulatory
compliancy, so that regulators will be satisfied you did
all that could be expected. In reality, becoming 100%
compliant could not be reasonably expected of any
larger company. We believe the following steps comprise
a viable plan for compliancy.
To better understand the process to allow customers to request
information you hold about them and to remove that information
view our earlier post athttps://www.linkedin.com/pulse/symantecs-
state-european-privacy-reort-found-90-believe-meister/
2. STEP 1. Complete a Data Protection Impact
Assessment (DPIA) in a Big Data Ecosystem. Big Data is
preferred so that your operational systems are not
degraded during the process and to minimize the
technical difficulties various data types present that Big
Data can easily handle.
Begin the DPIA by discovering the location of Personal Information in all your files.
You will want to search for patterns that identify data such as: National ID, Social
security, Driver’s License, Email, IP Addresses, Phone Numbers and hundreds more.
You will want a library containing of all these patterns and can be easily extended to
include any unique patterns or industry specific patterns you may need.
Centralize the following data sources into your Big Data Ecosystem; Legacy system
data, Office documents, PDFs, OCR documents, XML, Structured and Semi-Structured
Information and Many others. Images are supported by BigDataRevealed using Facial
and Object recognition software if applicable.
The DPIA process to discover Personal Information should include constructing a
Metadata Catalogue that will identify the location of Personal Information found in
every file processed by Row and Column. This information will become invaluable
when developing your Remediation Plan.
STEP 2. Develop a Remediation PLAN.
- Using the Metadata developed in the DPIA (STEP 1) a team comprised of Product
Managers, Developers, Business Analysts and others must review which business
applications use the files where Personal Information was discovered. This
process needs to be thorough and accurate as it identifies which
files/applications are most vulnerable to hackers.
- Pay the greatest attention to files used in applications that are central to your
business practices or interact with your customers such as; Point of Sale, Cash
Register, On-line Order Processing, Customer Service and Payment Processing.
You may even discover files that have no purpose and can be eliminated.
- The plan must include the following concepts;
a. How will these applications continue to function once the data in the files
have been encrypted?
b. Is the best practice to use APIs to interface between the application and the
data files containing the encrypted data? BigDataRevealed can provide such
APIs.
c. Where will the decryption/encryption keys be securely located so that the
APIs can complete their function safely.
d. How will newly received data be encrypted as it enters these files from non-
application sources such as IoT, Social Media and other feeds.
Prioritize the files and applications that represent the greatest risk
to your organization and begin the remediation process with them.
3. You have now protected the personal information in your most valuable or vulnerable application,
and are ready to celebrate.
STEP 4. Adding/Updating data in an
encrypted file.
In STEP 2, you identified where and
how a file might receive new data,
via adding a new transaction or
through a data feed. By connecting
the same APIs to exit points in the
application where new transactions
are generated, or by using
BigDataRevealed’s ability to process
streaming data ‘on the fly’ you can
achieve ongoing compliance.
STEP 5. Prepare for Production
Before implementing the newly
modified application tested in STEP 3
and STEP 4, you should verify that no
other applications use data from files
that will become encrypted.
You are now ready to use
BigDataRevealed to encrypt
production data and install the
modified application and APIs in your
production environment.
STEP 3. Begin Remediation and testing.
- Developers/analysts will identify the ‘exit points’ from the high
priority applications that access data from a file containing personal
information. These ‘exit points’ will be where the
encryption/decryption APIs must be connected to the application.
This task will likely be the most labor intensive as there are no
application tools to assist in discovering ‘exit points’.
- In a test environment, complete the process of connecting the APIs to the
application.
- Extract data from the files identified above and load them into
BigDataRevealed.
- Run a Discovery Process for those extracted files to identify all Personal
Information contained in those files. (A fully automated process)
- Request Encryption to be completed on any or all of the columns containing
personal Information. (Fully automated).
- Upload the newly encrypted files into a test environment.
- Begin Testing
4. Other Compliance Considerations
BigDataRevealed’s Dashboards presents to your operational staff, the customers that have requested
their ‘Right of Information’ or their ‘Right of Erasure’, and for CCPA their ‘Right of Deletion’. Operational
staff can process each request separately, or group them together for efficiency reasons.
BigDataRevealed’s extensive Metadata Catalogue allows your operational staff to request extraction of
information for presentation to a customer, and then to remove that data if necessary. BigDataRevealed
groups the data according to each customer, thereby making it easy to present information to every
customer, even if that single customer was processed in a group of many other customers.
BigDataRevealed’s Metadata stores the file, Column names, Row location and other information, which
can be used in other metadata systems, by ETL Developers, DBA’s and others to facilitate the deletion of
the Citizen’s data easily with the many legacy tools available.
BigDataRevealed’s comprehensive metadata Search Portal allows the user to
search for the necessary Metadata to fulfill the GDPR, CCPA and many others
Regulatory Requirements by:
Ability to search the Metadata Library and export
data to an excel spreadsheet using the following
criteria
Date Ranges , Specific Personal Data Patterns,
and Specific customers.
By Specific Types of Run such as Pattern / Data
Discovery, Business Classification
Compliancy is an ongoing process, as data is constantly changing or
being inserted. So, you must ask; How does one stay Compliant?
a. You must confirm that a person’s prior right of erasure is being honored,
and that their personal information has not once again entered your
company’s Data Assets. A list of Citizens that have exercised their right of
Erasure must be maintained and used in all processes adding or updating
Personal Information.
b. Data can sneak its way into your Data Assets from varying sources:
i. IoT, website Orders, Cookies, Third Party Purchases of Data,
Restores from within the company or from Data Recovery
Facilities, Internal Employees, even hackers. There are limitless
ways Information is ingested into companies data assets.
ii. To reasonably remain compliant with an Erasure request or
Deletion request you must continually look for and discover
exposed personal information for these individuals.
5. BigDataRevealed’s Comprehensive Metadata Catalogs are
invaluable in becoming nearly Compliant for GDPR, CCPA or others.
After reading this document, or discussing your company’s overall data environment with us,
you will understand that becoming 100% compliant might not be attainable for any company.
There is no obvious threshold to reach in order to believe you are compliant; and the nature
of your business may make it far more difficult for you to reach than for another company.
However, regulators will be expecting you to articulate your plans and accomplishments
while explaining the obstacles that are unique to you. Some of these obstacles are;
1. Operational/Production systems that are from vendors that are out of business and
NO Exit points exist to attach Spring API’s to perform encryption and decryption
functions.
2. An Operational/Production system is from a vendor that can’t provide assistance to
identify Exit Points.
3. Some of your Legacy systems are old or poorly constructed and identifying Exit Points
is extremely difficult.
4. Many other technical issues may take time to correct for proper
encryption/decryption processes to accurately and safely take place while not stifling
your business.
During this period of becoming compliant, a company may wish to run several Extensive
DPIA’s to prove to Regulatory Agencies and Courts that they have done what is possible and
have made progress. The company should prepare a timeline showing ongoing increases in
the percent of Citizens Person Data being protected.
BigDataRevealed believes we have the most comprehensive technology able to deliver
Compliancy by Design and allow companies to reach their maximum potential in Data
Protection and Regulatory Compliance and do so at with the most automation, and at an
affordable price point.
Here is the CCPA / GDPR 3 Day Training PowerPoint - https://www.slideshare.net/StevenMeister/ccpa-and-
gdpr-three-day-training-with-actual-deliverables-and-the-whys-and-hows-to-do-so
847-440-4439 https://www.youtube.com/channel/UC3F-qrvOIOwDj4ZKBMmoTWA?view_as=subscriber
GDPR 16 page PPT Plan - https://www.slideshare.net/StevenMeister/gdpr-ccpa-automated-compliance-
spark-java-application-features-and-functions-of-big-datarevealed-april-version-35
https://youtu.be/JGoQwoicUxw
Comprehensive Metadata Catalog Video for GDPR / CCPA - https://youtu.be/xryESgfzRcc