With the European General Data Protection Regulation (GDPR) looming in May 2018, everyone is worrying about their customer information. Is it secure? Can it be deleted? Do we even know where it is? Data security specialists everywhere are seizing the opportunity enthusiastically, offering solutions and seminars in equal measure.
But when organisations are under pressure to fix a large potential problem in a short amount of time, it’s easy to overlook the obvious. One good place to start is to focus on the management of existing applications. If new ones are under development, are they being managed as tightly as they should be? For those already in place, how is the process of version control and patch-fixing being handled?
GDPR – real and imminent
I don’t think anyone is still under the illusion that the Brexit vote will affect the implementation of the GDPR. From May, the European Union rules will apply to all organisations in the UK. Even after the UK’s departure from the EU, it is highly likely that an exact equivalency will be required. These are some of the key points to consider:
– Everyone will have the ‘right to be forgotten’: organisations will need to be able to identify every instance of an individual record being held – and that includes backup and archive data.
– Data portability: people must be able to transfer their personal data from one electronic processing system to another.
– Data breaches must be reported to the regulatory body within 72 hours.
– If you are using third parties to process personal data, you will still be held responsible for the security of that data.
– It will be expensive to make mistakes. Fines for data breaches will be as high as €20m, or up to four per cent of a company’s global revenues.
Getting the basics wrong
Each of these key aspects of the GDPR require organisations to have complete control over their data and their applications. While this sounds obvious, it’s astonishing just how often the most serious software disasters boil down to simple errors. Cutting edge software company Parity, which provides wallets for crypto-currency Ethereum, allegedly trapped $169m of the currency online recently after failing to fix a flaw that had been reported months earlier.
In a similar case of a simple but glaring error, it has been reported that the disastrous crash of a military Airbus A400M in 2015 was caused by the accidental deletion of essential data required to run the engines, as engineers installed new software on the ground. In both cases, a failure to ensure the synchronised smooth operation of data and software were at the root of the problem.
Automation, compliance & business benefits
Getting the right Application Lifecycle Management (ALM) processes and systems in place is essential to managing application code and tracking any changes to your data. When it comes to GDPR, you have to be able to demonstrate to regulatory bodies which applications do or do not touch your data, and how any changes that you’re making to your systems might affect that.
Trying to do this manually is complicated, time consuming and risky. You have to be completely sure that you are tracking who is doing what, when, and to have complete visibility of every change that is made to any application. Automating the process allows you to manage both development and production teams, whether they are operating separately or as an integrated unit. A good system will alert you to every change so that it can be reversed immediately if necessary. It should also take the pain out of audits, tracking approvals, authorisations and documentation for any change requests so that nothing can slip by unnoticed or un-approved.
Take greater control
While the adoption of more rigorous practices may be driven by the fear of breaching a new regulation, the benefits are far wider. ALM lets you take tighter control of application development and maintenance, establish a structured environment and implement a clear division of responsibilities. All this speeds up the development and deployment of technology. We all know – particularly those of us who work in the financial services sector – that regulations are paramount. Yet sometimes the effort of meeting the demands of yet another new regulation feels like something we could do without. In this case, however, the pain of compliance may well be outweighed by the rewards of efficiency, security and a faster time to market.