As part of the GDPR, the technological tools made available inside an organization aim at fulfilling the needs of the stakeholders in charge of privacy within the computer information systems. We can globally discern three types of profiles that will have a role to play in their organization's compliance strategy :
The DPO : he is the correspondent and the warrant towards the clients about the respect of their rights. As such, he must :
- have an exhaustive view of the set of personal data managed by the enterprise
- inform and transmit the data to the concerned individuals, on their demand
- answer the demands of individuals in terms of modifications or deletion of their data
- make sure that all data collected by the enterprise are legal
The Data Processing Officer : he is the warrant of :
- the conformity of data usage with the declared processing purposes
- the traceability of the data flows within the various information systems
- the respect of the data retention rules over time
The Data Security Officer : he is the warrant of :
- the minimization of the data used in the declared processing
- the protection of data privacy in the production databases
- the protection of data privacy during copies and/or transfer of data
Personal data inventory
To enable (and facilitate) the recurring mission of these 3 roles, it is necessary to set up technologies for automatic analysis of databases or files in order to :
- retrieve and maintain up to date a technical description of the applications data (metadata)
- select personal data
- define categories
- classify every personal data in one of the defined categories
The result of this stage is obtaining a data repository containing all the descriptions of data from the analyzed applications.
The implementation of technologies for automatic analysis of the programs source codes allows to identify in great detail the programs which use personal data. The results of these analyses complete the data repository.
The tools using the repository allow to build a representation such as illustrated below showing the links between the personal data and the processing purpose :
Name <-> Billing
Birth date <-> Renewal
Banks <-> Payments
Structured and unstructured data
From a technological point of view, all the elements described previously concern what it is advisable to call « structured data », that is those managed in the classic databases. However, the latter represent only approximately 40% of the information which circulates in enterprises, the remaining 60% being « unstructured » information : texts, images, etc.
To meet the requirements of the regulation, enterprises also have to worry about the fact that they write about individuals in thousands of texts that they produce or store. In this domain, enterprises come up against a degree of complexity infinitely higher than in databases. Indeed, in essence the words are ambiguous : for example, the word « Washington » in a text can indicate a person, a place (state or city), or an organization when it indicates the American government.
To answer these challenges, Rever develops REAL GDPR Software (RGS), a complete software suite that allows organizations to implement both in a flexible and functional way the instructions set by the European regulation.
This text is taken from the White paper Use of Rever’s solutions in order for enterprises to comply with the EU General Data Protection Regulation.