Oracle Software Licensing and EU General Data Protection Regulation (GDPR) Compliance

The European Union (EU) General Data Protection Regulation (GDPR) is a new regulation that will go into effect on May 25, 2018. The GDPR introduces a legal accountability obligation for organizations and will require organizations to reassess current policies, procedures, and systems and increase the level of controls, processes, and protection around the personal data of EU individuals. Organizations must have a complete understanding of their data and have the ability to implement appropriate technical and organizational measures that ensure and demonstrate that data processing activities are in compliance with the requirements of the GDPR.

As a result, organizations may be required to license additional software to comply with the data protection requirements of the GDPR. Under GDPR, data protection requirements can be broken down to three main categories that include assessment, preventive, and detective controls. Many software vendors such as Oracle offer security products to help address the GDPR’s assessment, preventive, and detective compliance requirements.

Assessment Controls – Article 35 of the GDPR mandates that organizations are to perform risk assessments to help identify vulnerabilities and lessen the possibility of security breaches. Organizations are also required to indicate how data privacy will be addressed. Organizations need to know where the personal data exists, who has access and what privileges, identify possible vulnerabilities, and determine the likelihood of potential threats and the impact to the organization.

Software vendors such as Oracle offer tools to assess the current state of data security. For example, Oracle Application Data Modeling can be used to discover personal data, Oracle Enterprise Manager’s Database Lifecycle Management Pack can be used to scan database configurations, and Oracle Database Vault Privilege Analysis can be used to analyze roles and privileges.

Preventive Controls – Article 32 of the GDPR mandates that organizations implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Therefore, once the risks are identified, policies, procedures, and controls must be put into place to prevent and deter unauthorized access and misuse of personal data. Unauthorized access can occur internally and externally; therefore, appropriate controls such as encryption, pseudonymization, and anonymization should put in place.

Software vendors such as Oracle offer tools to protect sensitive data at the source. For example, Transparent Data Encryption can be used to encrypt data in production applications, Data Redaction can be used to pseudonymize data in production applications, and Oracle Data Masking and Subsetting can be used to mask or anonymize the data in non-production applications and be used to subset the data either by deleting or extracting the data to a different location.

Detective Controls – Article 30 of the GDPR mandates that organizations maintain an audit record of processing activities on the personal data. The audit data can then be used to help detect potential security breaches, unauthorized activity, and misuse of personal data and be used to timely notify authorities in case of a breach. Article 33 of the GDPR mandates that organizations report personal data security breaches within 72 hours of becoming aware of a breach to the designated GDPR supervisory authority. If the security breach is likely to result in a high risk of adversely affecting the rights and freedoms of individuals, organizations must also inform those individuals affected by the breach.

Software vendors such as Oracle offer tools to monitor suspicious activity. For example, Oracle Database Auditing can be used to enable and maintain audit records of processing and Oracle Fine-Grained Auditing can be used to record and audit specific activities of users.

About the GDPR

The GDPR was approved by the European Parliament on April 14, 2016 and replaces the 1995 Data Protection Directive (95/46/EC). The aim of the GDPR is to give EU individuals more control over their personal data and to simplify the regulatory environment for organizations by unifying the data protection law across all 28 European Union (EU) member states. The GDPR defines personal data as any information, either directly or indirectly, that can be used to identify an individual. An identifier can be name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Extended Jurisdiction

The GDPR will apply to any organization that creates, stores, or processes personal data of EU individuals, regardless of whether the organization is located in the EU and regardless of where the data is created, stored, or processed. The GDPR will apply to data controllers and data processors and holds both liable for breaches or non-compliance; therefore, if personal data is hosted in the cloud or shared with vendors or contractors, the organization (data controller) and the third-party (data processor) are liable for penalties.

Penalties

Organizations in breach of the GDPR may be liable for penalties. The GDPR has a tiered approach to penalties depending on the nature of the violation. For example, organizations may be fined up to 2% of total global annual turnover or €10 million (whichever is greater) for not having their records in order, or not conducting a risk assessment, or not notifying supervisory authorities when a security breach occurs, or not notifying individuals affected by the breach. Organizations with more serious consequences may be fined up to 4% of total global annual turnover or €20 million (whichever is greater).

Individual Rights and Control

The GDPR will give back control to EU individuals over their personal data, which includes the right to access, right to be forgotten, and right to portability.

Right to Access – Organizations will be required to request consent from individuals and consent must be provided in an intelligible and easily accessible form. The GDPR will give individuals the right to obtain confirmation from the data controller as to whether or not their personal data is being processed, where the data is being processed, and for what purpose. Individuals will be entitled to a copy of their personal data, free of charge, in an electronic format.

Right to be Forgotten – The GDPR will give individuals the right to withdraw. Once consent is withdrawn, individuals also have the right to direct the data controller to erase and not use their personal data for data processing.

Right to Portability – The GDPR will give individuals the right to portability, which means that individuals may transfer their personal data between organizations more easily.

Data Protection Officer

Organizations that process large amounts of personal data will be required to designate a data protection officer. This position may be performed by either an employee of the data controller or processor or can be outsourced to a third party. Data protection officers will be required to have knowledge and expertise in data protection law and practices. Data protection officers will be responsible for overseeing the GDRP data protection strategy, implementation, and compliance. Responsibilities also include training and conducting internal audits and address potential vulnerabilities. The data protection officer also serves as the point of contact between the organization and the designated GDPR supervisory authority. The data protector officer is also available for inquires and requests by individuals pertaining to their data privacy.

Conclusion

The GDPR introduces a legal obligation for organizations that promotes accountability, transparency, and trust. The GDPR will require organizations to increase the level of controls, processes, and protection around the personal data of EU individuals. As a result, organizations may be required to license additional software to address the assessment, preventive, and detective compliance requirements of the GDPR. Organizations face strict penalties for not complying with the new standards set by the GDPR once the regulation goes into effect on May 25, 2018. For questions and further assistance, please contact your trusted Miro Analyst or Miro Account Manager to provide guidance on GDPR governance, risk, and compliance.