Data protection is not a new issue. There have been numerous high-profile data hacks in recent years, with sensitive customer information released into the public domain, causing widespread condemnation and fury. Trust is a big issue. When Equifax revealed hackers had stolen the personal information of 145 million people, there was an uproar. The problem is that we are increasingly moving our lives online. Criminals have been quick to realize that data equals serious money. For this reason, DevOps startups need to pay close attention to the new GDPR data privacy regulation changes that are set to come into effect May 25.
What is GDPR?
The General Data Protection Regulation (GDPR) is an EU Data Protection Directive. It has been carefully designed to shape the way businesses deal with data privacy and has been described as “the biggest change to data protection law for a generation.”
The new directive will apply to all startups and businesses operating in the EU, and any company that holds data related to EU citizens. So, if your CFD trading startup is based in the United States, but you retain data on customers who reside in France or Germany, you are bound by the GDPR.
Data compliance is a huge issue. Cyberthreats are common and criminals are happy to take advantage of businesses that have left a backdoor wide open. Secure data management is not something DevOps startups can ignore. Any data stored in the cloud or on a server must always be protected.
Many tech startups hold significant amounts of information. This helps them deliver a software solution more effectively. However, even if your company holds no customer data, if any of your development team are EU citizens you still must adhere to the regulations. And with many DevOps startups recruiting remote employees from far and wide, this is not as unlikely as it may first appear. So, if Carlos from Barcelona is a key player on your development team, GDPR will apply to your startup.
Company and Customers
GDPR is split between company data and customer data. For a small startup, it may be a case that employee data is more of an issue, but if you hold customer data, it is time to look at how you manage this data. A good way to do this is through an internal audit.
Create a data flow diagram (DFD) that maps all the data that enters, is processed and stored and exits your systems. Provided with a good overview, you should be able to spot any data that isn’t required or needs modifying so you can remove or adapt certain funnels to save time attempting to meet compliance measures for data you don’t use.
Planning and Preparation
GDPR is a big step up from the Data Protection Act, so you can’t sit around and wait for May 25 to come and go. It’s vital that you examine the GDPR in detail to see how and if it applies to your organization. If it does, you will need to make organizational changes to the way you deal with data.
Create a compliance checklist to be adequately prepared, based on the requirements from the National Institute of Standards and Technology (NIST) and Cloud Security Alliance (CSA), combined with any state or regional regulation.
Hire a Governance Trainer
Legal language used in compliance can be difficult for those from an engineering and IT background to comprehend. Hiring an external compliance by design practitioner or trainer will help in this respect. Ensure they have a good technical as well as legal knowledge so that they understand both sides and are able to accurately review processes, make suggestions and make sure that GDPR compliance is met.
Task this person with downloading the Control Objectives for Information and Related Technologies and CSA requirements. They can then work with program management to put such company directives into play, alongside working with your checklist. This checklist can be used to create an open source tool for scrubbing applications and determining whether they should be onboarded or pushed back, depending on whether they meet the compliance policies.
Notifying Employees/Customers of a Breach
If customer or employee data is breached, accidentally or otherwise, you have 72 hours to notify them. Sticking your head in the sand and hoping it all “goes away” will not cut it. There are two tiers of fines for non-compliance: up to 10 million Euros or 2 percent of turnover, or up to 20 million Euros or 4 percent of annual turnover.
To ensure this risk is minimized, hold everyone accountable and put in place consequences. Decide on what these will be and how they will be enforced to best implement GDPR compliance in your startup, as such hefty finance can be especially damaging for small businesses.
You must let individuals know if their data is collected. Consent is a major issue in the GDPR and ambiguous tick-boxes are not acceptable. Privacy notices must be crystal clear and written in Plain English. Clients must have the option to opt-in or opt-out if you collect data from them.
The Right to Data Erasure
All individuals have the right to request that their data is permanently deleted. So, if Carlos from Barcelona decides to jump ship to another DevOps startup, he can legitimately request that you delete his HR file. He can also ask you to send his file to his new employers.
Data Protection Officer
Companies that process large amounts of data or are involved in the monitoring of individuals—this is applicable if you track online behavioural patterns for marketing purposes—must appoint a data protection officer. This person can be anyone, but they must have knowledge of data protection practices and the law related to data protection.
Not everything has to cost in meeting GDPR data compliance, though; there are many free resources your startup can use as well.
One concern is the impact on speed that GDPR will bring. Eighty-one percent of IT operations professionals believe information security policies slow them down. Avoid this for your startup by doing the DevOps yourself as it will make software deployment faster. However, insecure system changes could then be shipped through. Automation can offer a solution.
Treating compliance through continuous automation means your DevOps startup will put code-based controls through the normal development process: test, version, apply and modify. This makes such controls easy to collaborate on and running compliance scans will become a common feature in the development stage, testing environments and production systems.
The average idle time before identifying a system breach is believed to be 200 days. Continuous automation means that such an issue could be detected on the engineering team’s development workstation, before it reaches production and ensuring it is dealt with to make things safe and guarantee GDPR compliance.
What Not to Do
The thing you absolutely shouldn’t do is ignore GDPR on the basis that it doesn’t apply to you, “because who’s going to know if Carlos from Barcelona works for my startup and so what if one of my computers is struck with ransomware and everyone’s bank details are leaked onto the Dark Web?”
The GDPR will affect millions of businesses, so all startups need to be aware of how it will affect their operations. If you don’t comply with the directive, it could prove to be a costly mistake. Ignorance is never a legitimate defense in the eyes of the law, so check out the EU GDPR website and get informed. If GDPR doesn’t affect you, great; but if it does, think like a Boy Scout and Be Prepared.