The European Union’s General Data Protection Regulation (GDPR) is on the home stretch, to enter into effect on 25 May 2018. This is causing growing public attention and even worries in organizations handling personal data – and which among them is not handling personal data in the digitalized world?

GDPR ‘s maximum penalties for non-compliance are at the level that cannot be overlooked by any organization. But questions arise at this point: What is really demanded and from whom? And even what constitutes personal data? These questions will be answered by Jarmo Harno, Ficolo’s Senior Business Process Developer, who joined our ranks a year ago.

The regulation separates the responsibilities of the data controller and the data processor. A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller, whether manually or by automated means.

Personal data is any information related to a natural person that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, location data, bank details, posts on social networking websites, medical information, or a computer IP address.

Thus, most organizations have stored some personal data. The measures required by the regulation, however, depend on the scope and sensitivity of the data. For those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes, a data protection impact assessment should be carried out by the controller prior to the processing.

The intention of the regulation is that the information security is built-in in the personal data processing implementations so that the risks are mitigated throughout the life cycle of the private data. Data controller and data processor should be able to demonstrate that the relevant and sufficient measures are taken to ensure this. However, as information security can never be complete, it is vital that an approach for continuous follow-up and improvement is in place.

GDPR Requirements. How the GDPR affect data handling

The processing of personal data involves several layers and it is important that there are no weak links. When thinking about personal data protection, we easily concentrate mainly on data processing systems, but the security starts from the physical layer and the premises where the systems and data are located and where people with different roles have access. Ficolo’s premises and related security controls have been audited against ISAE 3000 standard to guarantee that only the right persons have access to the stored and processed data.

All the layers from the physical through the systems and networks to the application and human interaction should be proper professional attention (Figure 1).

Investing heavily in in-house resources or competences on layers that are not the core business of the organization might not be feasible. Requirements of the new regulation may be better covered by subcontracting those layers to providers whose core competences lie in those areas.

As a cloud provider, Ficolo offers professional services and solutions on several layers: on the physical layer providing premises and infrastructure for ultimate security and availability, on the networking layer reliable, redundant and segregated connections with enhanced security solutions, and on the HW and SW platforms layers 24/7 monitoring and maintenance with security logs and vulnerability management.

And together with our leading IT-provider partners, our cloud solutions serve for all the personal data handling and processing requirements for the increased rights of individuals set by the GDPR.

When moving the data processing onto the Ficolo Cloud Delivery solution the personal data controller or processor have a wide range of Cloud Assurance services available to reach increased security levels when high privacy impact and risks are identified.

For example, intrusion detection, threat analysis and event log analysis can be combined in the Security Information and Event Management (SIEM) service. With Ficolo’s SIEM service it is possible to build a holistic view and take proper actions on the threats, detrimental activity and attacks against information security and business continuity. Attacks cannot be avoided in many cases and even intrusions may take place, but the latency in noticing the malicious activity can be fatal.

So, GDPR should not be seen as a threat by heavy sanctions, but a catalyst to improve the security, integrity and availability of the provided services.

GDPR: requirements for controller of personal data

Jarmo Harno

Jarmo has previously worked 20 years in Nokia’s network businesses in different quality, development, product management and business analysis positions before joining Ficolo in the autumn of 2016. Jarmo Harno has also contributed to the education of the future professionals as a principal lecturer in Laurea University of Applied Sciences. His responsibilities as a Senior Business Process Developer in Ficolo include developing processes, quality and the information security management system. According to Jarmo, Ficolo offers an interesting field for pervasive development as a growing and dynamic organization without stiffening operational silos.