Complying with the EU Data Protection RegulationElli Lytra
Welcome one and all to the EU General Data Protection Regulation (EU-GDPR). This is a piece of legislation, that got passed in April of 2016. This piece of regulation is critical in that it determines the extent of data privacy, sharing across borders from the EU to external entities. If you or your company is dealing with the personally identifiable information of European citizens you need to pay attention to this compliance regulation. In this article we are going to discuss a real life use case for a medical information company that has faced challenges because of this new legislation.
The goal of this legislation is to make sure that your company has controls in place for data privacy, securely storing information, data non-repudiation, policies for breach disclosure and more. The goal is to make sure that there is a framework for security and privacy inside the organizations that are handling the sensitive data for European citizens. We will now examine some of the pillars of compliance for this regulatory framework.
This regulation talks about various aspects of security and data privacy such as making sure:
– excessive amounts of data is not collected
– all data is handled in a legal, audit-able manner
– concept of least privilege is not violated
– not transferred to organizations outside the EU without proper safeguards in place
– ability to account for how data has been used
There are significant penalties for not complying with these policies that will cost companies millions in fines and revenue. Hence it behooves businesses to pay close attention to these points above.
To discuss this further we will illustrate the experience of a real world, 2,500 person medical information company with employees in both the US and EU. We will refer to the company as ABC.
Use case: ABC has access to data from both US and EU customers, partners and employees. ABC needs to make sure it complies with EU-GDPR. The specific need which needs to be fulfilled based on the above policies are: ABC must ensure that US employee cannot see PII for EU customers, unless auditing is in place.
Why is the above tricky? The reason is that for most EHR systems, the development and release cycles are typically very long. Furthermore the controls present in the EHR system refer to the view of the vendor of how the customer should use the EHR, not how the customer wants to use the EHR system. There is a lack of alignment here.
Companies like ABC need to careful in order to judiciously implement controls that can track:
#1 – Where is the employee located (Geo Fencing)
#2 – Which groups is the employee a member of (IT, Support, Level 3..)
#3 – Does the employee need access to EU data (data tagging based on groups and seniority, job description)
#4 – Implement RBAC on EU data
The trickiest part is #4. Implementing RBAC on EHR data. Why is this so? Consider the following real world situation where ABC is using a reputable vendors record management system. Each record for an EU customer contains diagnosis information, PII, history, recommendations and more. A US employee should not be given access to everything in a record by default, they should have to earn the right dynamically, in a manner that can be audited automatically. If the process is manual, the system and policies will only act as a roadblock and not an enabler.
ABC now needs the ability to block off access to certain portions of the EHR records, based on location, time of day, group ownership etc. All this can possibly be accomplished directly from the EHR system but at the cost of tremendous amounts of frustration. The reason is simple – old world EHRs and even the web based ones don’t offer a granular fine grained privilege management layer. ABC now needs to either invest its own resources to build out one internally and spent 1.5 years or wait for the EHR vendor to agree to service the request which might take another year or purchase a product that helps them resolve the issue now. This is not an easy choice. With changes in regulation well meaning businesses can sometimes get blindsided. Its imperative to stay abreast of the latest regulations and plan for how to address any requirements in advance.