DevOps GDPR Compliance: The “Spark Notes” edition

The upcoming enforcement of the European General Data Protection Regulation (GDPR) means that more likely than not your organization probably needs to make some changes to how it handles personal data, and how your team handles breaches and incident response.  We’re a company of developers, and know how it feels to have to sift through 100s of pages of legal jargon to figure out the changes you really need to make to achieve DevOps GDPR compliance for your organization.

In this article we’re going to focus on what’s important and cover an overview of the regulation, the key terminology you’ll see, what’s important to your team, and other resources you can use to learn more. In future posts we’ll be going through Sysdig Secure and how you can use it detect intrusions, block attacks, and run deep forensics in GDPR specific scenarios.

GDPR explained for DevOps Engineers

The European General Data Protection Regulation (GDPR) is a regulation that’s meant to unify and strengthen data protection for all members of the EU. Or via eugdpr.org: “it’s the most important change in data privacy regulation in 20 years”.

Timeline

• January 25th, 2012 – initial proposal for updated data protection regulations.
• December 15th, 2015 – the parliament and council come to agreement on the Act.
• April 27th, 2016 regulation entered into force 20 days after it’s published in the EU Official Journal.
• May 25th, 2018 – Following a 2 year grace period the GDPR becomes full enforceable.

Who does this effect?

GDPR requirements apply to any organization doing business in the EU or that processes personal data originating in the EU, be it the data of residents or visitors. (Yes, that includes companies headquartered outside the EU that collect data originating in the EU from EU citizens).

GDPR Key Terms

Data Processor – This is a “person, public authority agency or any other body which processes personal data on behalf of the controller.”

Example: A billing company processing customer payments on behalf of the Cellular Service company is the Processor.

Data Controller – This is a “person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

Example: A Cellular Service Provider collecting personal information from its customers is the Controller.

Regulation vs Directive – A regulation is a legal act of the European Union that becomes immediately enforceable as law in all member states simultaneously. Regulations can be distinguished from directives which, at least in principle, need to be transposed into national law.

GDPR DevOps FAQ

What is personal data? – Anything than be used to directly or indirectly identify a person:

• Names
• Emails
• Bank details
• Medical information
• IP addresses

Do I need a Data Protection Officer (DPO)?

Yes, if you:

• Are a public authority
• Engage in large scale systematic monitoring
• Do large amounts of data processing of sensitive personal data

What are the penalties for not complying with GDPR regulations?

• If it is determined that non-compliance was related to technical implications such as impact assessments or breach notifications, then the fine may be up to an amount that is the greater of €10 million or 2% of global annual revenue from the prior year.
• If your organization is found in non-compliance with key provisions of the GDPR, authorities can enforce a fine in an amount that is up to the greater of €20 million or 4% of global annual revenue in the prior year.

What you need to know about handling breaches?

• A data controller must notify authorities within 72 hours of when they discover the breach.
• The controller must know the number of people affected by the breach, and the contents of the data that was accessed.
• The controller needs to understand and communicate the implications that this breach may have on its data subjects.
• The controller needs to describe measures implemented or planned to mitigate the spread of the breach as well measures to prevent this in the future.

Resources for GDPR Compliance Initiatives

• gdpr-info.eu – A comprehensive website that converts the official PDF of the GDPR into an easy to parse website.
• GDPR compliance checklist.
• List of free GDPR resources.

How Sysdig Secure helps with your GDPR compliance initiatives

We’ll be covering GDPR specific use cases in following posts, but there are two main areas that Sysdig Secure will address out of the box to make sure you’re confident on May 25th, 2018.

• Breach Prevention – Sysdig Secure has flexible policies that allow you to define what directories hold sensitive data, and detect users and programs reading from those directories.
• Breach Response & Forensics – Sysdig Secure has full stack forensics capabilities that will track every single user command, and capture all activity pre and post any policy violation. What does this mean? If a breach occurs, we’ll know every connection opened or file accessed, and even be able to tell you the contents that were read, written, or passed of the wire.
• Continer and Kubernetes compliance.

Contact us here if you’d like to learn more about how we can help with your GDPR compliance initiatives.