GDPR, or the General Data Protection Regulation standard, is the most comprehensive data privacy standard to date went live on May 25, 2018.
Note: This overview is not meant to be comprehensive or serve as legal advice. We highly recommend speaking to an auditor or lawyer to dig into the details of the full regulation as there are major components of GDPR that are left to auditor and supervisory authority interpretation.
Below, we summarize the main articles and standards of GDPR.
What data is covered under GDPR?
GDPR governs security requirements for the use and storage of Personal Data for EU citizens and rights for EU citizens to their data - as well as potentially all Personal Data processed and stored within the EU. This includes any data that can be used or combined with other information to identify a natural person. It is extraterritorial - i.e. applies to EU data regardless of that data's location.
GDPR by roles
- Data subject: EU citizen or individual whose data is being processed within a EU member state
- Processor: individual or group who processes GDPR data
- Controller: individual or group who governs whether the processor has access to GDPR data and how that data is protected
- Data Protection Officer (DPO): executive in charge of protecting GDPR-relevant data
- Supervisory Authority: National regulatory body within EU-member country in charge of managing compliance with GDPR
GDPR by the articles
There are 99 total articles in GDPR that fall into three key categories:
- Individual rights:
- Rights for data subjects to dictate how their data is used, retained, and stored
- Basis of processing:
- Legal rights to access data including consent and necessity
- Obligations to processors and controllers
- Governance, accountability, and security:
- How is personal data managed and stored?
- How is personal data protected?
- What happens during a data breach?
GDPR by individual rights
- Rights to information, access: know where and how your data is being used before consent
- Rights to erasure: demand your data is destroyed
- Rights to object, restrict process: right to object to data being used at any time as well as restrict how that data is being processed
- Right to portability: right to demand access to stored data
- Right to rectification: right to change data stored
- Right to lodge complaint: petition the supervisory authority
GDPR by penalties (Article 83)
- Non-negligent penalties: greater of 10M Euros or 2% global annual revenue
- Negligent penalties: greater of 20M Euros or 4% global annual revenue
Negligence is determined by the number of factors including bona fide security effort, alignment with GDPR, audit of security controls, etc.
Note: Supervisory Authorities can institute supplemental fees.
What we do to comply
HashiCorp is committed to GDPR compliance across our product suite. We've updated our privacy policies and terms of service for each of our products, and we're hard at work to put stronger security and privacy controls in place to protect your data and support your rights.
We're also committed to helping our customers accelerate their GDPR roadmap to compliance. We've been releasing features and constructing a roadmap for Vault that specifically assists in helping your organization comply with GDPR, including:
- Vault Unified Identity and ACL policies
- Control Groups
- Mount Filters
The Vault product itself was developed to manage, store, and protect sensitive information in a way that reduces secret sprawl but also enables global organizations to operate at a very large scale. In the context of GDPR, we've engrained features into Vault to help further this use case, as GDPR requires all of us to be more sensitive to where our data is moving or sitting at any given time physically and forces us to put our best effort to protect the data sovereignty of our sensitive information.
For more information, you can refer to Webinar: Preparing for GDPR Compliance with HashiCorp Vault
What you can do
If you are a customer of HashiCorp, there are already items that you can add to your roadmap to GDPR compliance. Below are some tips and tricks:
1. Familiarize yourself with key GDPR articles and standards
Leverage your legal, security, and audit teams to understand how these new articles differ from your existing data protection plans.
2. Create a central database or inventory of personal data that you hold
Should you get audited, you will want a trail of customer events, personal information, and communications that have been performed in one central location. You also need to be able to provide customers with the ability to consent, opt-out, or request that their data be deleted. For that, you may need a consent management tool such as OneTrust.
3. Assess any processes, or tools gaps that can help you accelerate compliance
Audit your current tool stack, including HashiCorp products to assess how features in your existing toolset can help you comply. For any gaps, research, evaluate, and procure new tools so you are ready for the May 25th deadline.
4. Consider leveraging existing HashiCorp products such as Vault to help in your compliance journey
5. Review and accept any updated terms and policy notices you receive
There are already a myriad of email communications going out regarding updates to terms and privacy policies. Review these changes regularly with your legal team.
6. Consult with a lawyer or auditor to dig into specific regulations that apply to you
GDPR is a comprehensive and complex set of requirements. In addition to the explicit provisions of the articles within GDPR, the oversight of the supervisory authorities in EU member states entails that additional implicit requirements and/or financial implications may arise depending on the region in which Personal Data is processed within the European Union. It is critical that you consult with legal counsel and your auditors to ensure that you are aligned and prepared for the release of GDPR in 2018. You can read the full regulation here.
We've compiled a list of resources that also pertain to GDPR in the security or cloud space:
InfoQ article on GDPR for operations. An objective article written with the operations persona in mind, including strategies such as identity and access controls, logging and auditing, backups, and other good hygiene.
Thales Security explains GDPR and related solutions. Includes a breakdown of currently active mandates and regulations, as well as additional GDPR resources, and a readiness assessment that you can take.
Microsoft breaks down key changes under GDPR. Includes a GDPR compliance best practices e-book, FAQs, an assessment, and how Microsoft Cloud can fit in your GDPR tool stack.
Google Cloud reinforces their commitment to GDPR compliance. Explains Google's dedication to different mandates, more on what you can do as a customer, and general FAQ.
Amazon AWS explains their commitment and what you can do. A blog written in text-heavy, article format that explains what AWS has been doing to comply including DPA and CISPE Code of Conduct, and what you can do.
RSA whitepaper sponsored by Dell. A 3-page PDF that goes into detail on GDPR aims, penalties, and data security measures. Half of the PDF is devoted to how Dell's suite of solutions can help.