The stakes are high: Organizations failing to comply with the European Union’s (EU) strict General Data Protection Regulation (GDPR) face fines up to 4 percent of their annual revenues or €20 million ($25 million), whichever is greater.
But while the threat of what happens if organizations ignore the mandate when it takes effect at the end of May is clear, how DevOps teams will lay the groundwork to comply is less cut and dry.
At the same time, DevOps can allow organizations to meet the regulation in an agile and relatively quick way by integrating the working efforts of an organization’s stakeholders, IT operations, QA, InfoSec and development teams.
“GDPR is the new boogeyman in tech, kind of like Y2K was years ago,” said John L. Myers, an analyst for Enterprise Management Associates (EMA). “Ideally, all of this will be handled with automation and DevOps.”
The Right to Disappear
An especially strict GDPR provision is any individual user’s right to both opt out of having their data collected by a private enterprise as well as their right to be forgotten. The so-called “Right to Erasure” Provision gives EU-based individuals the right to demand the removal of access to their personal data on an organization’s servers, either on-premises or the cloud. An individual’s right to have personal data “forgotten” also applies to personal information an organization may communicate to third parties.
“The challenge lies with tracing personally identifiable information spread across multiple platforms, including third parties and CRM, ERP, payments, ordering, etc.,” Myers said. “Most organizations don’t have that level of visibility and transparency.”
The challenge is thus understanding where all the instances of a person are within a data landscape, he said. If an individual in the EU decides to be forgotten and to opt out, an organization must know all the places where that person is identified within data management platforms and files, such as spreadsheets. For organizations that have a relatively small number of places where they store data, the process is easier, of course.
However, there is one important footnote in the right-to-be-forgotten provision: Organizations do not have to actually delete personal data and records if individuals choose to be forgotten, Myers said. Rather, DevOps can encrypt their information, allowing organizations to keep transactions, customer counts, inventory, etc., but without identifying the individuals. DevOps also can be used to rapidly deploy code and processes to validate requests to be forgotten and to “unforget” individuals who later opt in.
“With encryption, DevOps keeps one key for the company and sends or stores the other key for the EU individual in case they change their mind,” Myers said.
However, using DevOps to automate compliance might be delayed in some cases, as organizations may first have to improve their data inventory management practices to better visualize the often-various places where individuals’ data is stored, Myers said.
“Without an inventory of all the ‘wheres’ of customer, partner or supplier data that might be listed in the various data platforms, it will be difficult to automate out of the gate in May or even June,” Myers said. “As organizations get a better understanding of the inventory of their data landscape, they can add DevOps automation to the process. But at the earlier stages, it might be a manual process that is monitored, managed and standardized so that DevOps can take over and make it a reality.”
Some Good with the Bad
Discussions about GDPR tend to focus on the associated pain and potential costs organizations face to meet the mandate. But with every change comes opportunity. With respect to the GDPR clause giving individuals the right to be forgotten, for example, DevOps will have the freedom to deploy code and processes to boost their organization’s transparency for individual data storage, both in-house and what third parties access.
“Having this inventory or visibility into all the components of a data landscape is a key for digital transformation,” Myers said. “Companies can use it as a good reason or excuse to move toward a more standardized and transparent environment that will accelerate those initiatives.”
Some DevOps team members may also take pride in knowing achieving compliance for GDPR could also arguably be a step in the right direction to improve data protection for the common good of society.
“There is the issue with actually securing the data that is collected to keep others from obtaining and exploiting it. Since identity theft is a raging problem, protecting personal information is paramount,” said David Monahan, an EMA analyst. “If we had usable federal legislation in the U.S. like GDPR, we would have had a much likelier outcome of Equifax being severely fined or even closed down for its poor data-protection practices. Credit bureaus are predatory when it comes to data, and since individuals have no right to refuse collection, all of that information is bought and sold without our consent.”