MongoDB Atlas is a cloud-hosted MongoDB service engineered and run by the same team that builds the database. It incorporates operational best practices we've learned from optimizing thousands of deployments across startups and the Fortune 100.
The timeline for compliance with the European Union’s General Data Protection Regulation (GDPR) is fast approaching. From May 25th 2018, any organization failing to satisfy the new regulation faces fines of up to 4% of global revenues, or €20m – whichever is greater – as well as the potential suspension of any further data processing activities. Irrespective of whether you have a physical presence in the EU or not, if you are handling EU citizen data in any way, you are subject to the GDPR.
That said, the regulation shouldn’t be viewed as some new burdensome red-tape imposed by faceless bureaucrats. Rather, for more progressive organizations, it presents an opportunity to transform how they engage with their customers in the digital economy.
In this 4-part blog series, we’re going to dive deeper into the regulation, and it what it means to you:
- In today’s part 1, we’ll provide a primer into the GDPR – covering its rationale, and key measures
- In part 2, we’ll explore what the GDPR means for your data platform
- In part 3, we’ll discuss how MongoDB’s products and services can support you in your path to compliance
- Finally, in part 4, we’ll examine how the GDPR can help in customer experience, and provide a couple of case studies.
GDPR Rationale
Cyber-crime is forecast to cost the global economy $6 trillion by 2021, up from $3 trillion in 2016. Described by some as the “greatest threat to every company in the world”, public concern for the safety of data is growing – not just in how criminals might use stolen data to commit fraud, but also in how personal data is used by the organizations we engage with. Many people are asking whether data provided in exchange for goods, services, and employment could be used to:
- Damage our reputations?
- Deny us access to the healthcare or financial services we might need?
- Discriminate against us based on our political views, religion, associations, or ethnicity?
- Reduce our autonomy, freedom, and individuality?
The European Union (EU) General Data Protection Regulation (GDPR) 2016/679 is designed to confront these concerns. Protection and privacy of individuals – “data subjects” in GDPR terminology – becomes not just a legal obligation placed on organizations collecting and processing our data, but also entrenches data privacy as a fundamental human right of all EU citizens. The GDPR was introduced May 24, 2016, and will be enforced from May 25, 2018.
A range of requirements and controls are defined by the GDPR to govern how organizations collect, store, process, retain, and share the personal data of EU citizens. However, Gartner predicts that more than 50% of companies affected by the GDPR will not be in full compliance with its requirements by the end of 2018 – nine months after the regulation comes into force.
The existing EU data protection legislation (Data Protection Directive 95/46/EC) was introduced back in 1995, but was increasingly regarded as insufficient, both for today’s privacy demands, and those envisaged in the future:
- Implementation varied across each member state, creating complexity, uncertainty, and cost. Inconsistencies affected both user trust in an emerging digital economy and EU competitiveness in the global market.
- Technology enhancements over the past 20+ years now allow both private enterprises and public authorities to collect and make use of personal data on an unprecedented scale in order to pursue their activities. The emergence of social networking, cloud computing, eCommerce, web services, mobile devices and apps, Internet of Things, machine learning, and many more render the existing regulation inadequate.
The reform introduced by the GDPR is designed to provide EU citizens with more control over their own personal data. In this context, the scope of personal data has been expanded – it includes anything that can uniquely identify an individual, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual.
Key Measures of the GDPR
In EU research, nine out of ten Europeans had expressed concern about mobile apps collecting personal data without their consent, and seven out of ten worried about the potential use that companies may make of the data that they disclosed. The GDPR attempts to address these concerns through a range of new measures:
- Individuals must provide explicit consent to data collection – “consent by default” is no longer valid. The organization seeking consent must also provide clear information on how that data will be used, for how long it will be retained, and how it will be shared with third parties. Individuals can retract consent at any time, without prejudice. Additional permissions must be requested from the individual if the data is to be used for processing purposes beyond the original consent.
- A "right to be forgotten", also known as “right to erasure”, requires deletion of data when owners ask for it to no longer be retained, and there is no legitimate reason for an organization to refuse the request.
- Organizations must provide easier access to an individual’s data, enabling them to review what data is stored about them and how it is processed, who it is shared with, along with the ability to migrate that data between service providers without restriction.
- A right to review is required for how automated decisions computed against personal data have been made, for example, by machine learning algorithms declining transactions based on risk scores.
- Disclosure within 72 hours must be made to a member state’s “supervisory body” (a member state’s independent public authority overseeing GDPR implementation) when personal data has been breached, enabling individuals to be informed and take appropriate remedial action.
- Data protection has to be by design and by default, requiring data protection controls to be built into products and services from the earliest stage of development, and the adoption of privacy-friendly default settings in all applications collecting personal data.
- Punitive financial recourse (e.g., 4% of global revenue or €20m) will be made against any organization proven not to comply with the regulations.
The new regulations seek to provide clarity and consistency in how privacy rules are applied, not just across the EU, but also globally to every organization processing citizen data as part of offering products and services in the EU.
The GDPR introduces specific terminology to define roles and responsibilities within organizations, including:
- Data Protection Officer (DPO), an individual employed by the data controller or processor, with responsibility for advising on GDPR regulation, reporting to the highest management level. The DPO is ultimately answerable to the local supervisory authority.
- Data controller, typically the organization with whom the data subject (the individual) is sharing the data.
- Data processor, an organization and/or individual working on behalf of the controller, e.g., a direct employee such as a business analyst or a developer, or an external service provider, such as a credit rating agency or a payroll processor. A data processor is any entity or individual with access to personal data.
GDPR’s Definition of a Data Breach
It is very important to understand what a data breach means in context of this new regulation. The GDPR applies a much broader definition than only loss of confidentiality or unauthorized processing of personal data, demonstrating that data protection methods extend beyond narrow concepts of access. It also encompasses availability and integrity. The GDPR text states:
“‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”
Wrapping Up Part 1
That wraps up the first part of our 4-part blog series. In Part 2, we’ll examine specific GDPR requirements, and map them back to a set of required database capabilities.
Disclaimer
For a full description of the GDPR’s regulations, roles, and responsibilities, it is recommended that readers refer to the text of the GDPR (Regulation (EU) 2016/679), available from the Official Journal of the European Union, and refer to legal counsel for the interpretation of how the regulations apply to their organization. Further, in order to effectively achieve the functionality described in this blog series, it is critical to ensure that the database is implemented according to the specifications and instructions detailed in the MongoDB security documentation. Readers should consider engaging MongoDB Global Consulting Services to assist with implementation.