The General Data Protection Regulation (GDPR) comes into effect on 25th May 2018. By this date, organisations holding personal data for their EU customers and employees must be able to demonstrate compliance with the new regulations.
The aim of GDPR is to enable data subjects (the individuals whose data is held) to have more control over their personal data and to ensure that organisations protect the data and use it only for the purposes for which it was obtained. Failure to comply can result in fines of as much as 4 per cent of a firm’s annual turnover, as well as reputational damage and the potential loss of business.
The impact of GDPR is not restricted to live production environments. Non-production environments, such as development, quality, testing and pre-production, which enable the IT delivery teams to design and constantly upgrade the applications that form the backbone of the bank’s operations, must also be compliant with GDPR. Production or production-like data flow into these non-production instances continuously, thereby increasing the exposure of the personal data.
The Challenges
- A large number of financial transactions are carried out in traditional form, meaning that there is a paper trail for all customer records, cheques and deposits
- Cross-contamination of personal data used in many different systems
- Many employees within different sections of the organisation all have access to the personal data
- Prior agreements and partnerships with vendors allowing the sharing of data are no longer compliant with the GDPR legislation
The Brickendon Solution
- Identify what data flows into non-production environments and categorise it into sensitive and non-sensitive buckets based on GDPR impact
- Implement data-masking solutions for sensitive data
- Identify existing data access and permission control processes and create a plan to restrict access based on location of access and other parameters
- Review the test data used by testing and quality teams and help design solutions for synthetic test-data generation to support testing
- Assess the impact of psuedonymisation of sensitive data on the performance of online applications and help create a non-functional test strategy, benchmarking application performance and proposing recommendations for improvements
- Propose safe and compliant ways to archive data and refresh it in non-production environments
- Facilitate beta testing in User Acceptance Test (UAT) instances by engaging subject-matter experts
- Conduct real-life stress testing on clients to assess GDPR compliance
Client Benefits
- Full awareness of how compliant your organisation is and an understanding of the changes required to become compliant
- Clear demarcation of data flows between production and non-production environments
- Fewer data breaches arising from unauthorised access to sensitive data
- Appropriately prepared and well equipped to face data-specific audits
- Transparent and proven processes thanks to real-life stress testing. This gives clients a clear insight into any potential data breaches, access violations, or jurisdiction issues (cross-border data flows) that may arise at any stage of the end-to-end activities involving customers
- Regulatory compliance – failure to comply can result in fines of as much as 4 per cent of global turnover, or €20 million, whichever is greater, as well as significant reputational damage and the potential loss of business
- Potential to leverage artefacts to quickly identify and resolve any breaches that may occur in the future
- Full documentation of all in-scope areas and applications to provide a clear demonstration of compliance to regulators
