What you need to know about GDPR and How Control-M can help

This post was originally published on BMC Blogs –

There’s been a lot of talk about the upcoming General Data Protection Regulation requirements and the potential penalties for non-compliance, but I thought it would help to provide you with some facts. Here’s 250 pages of GDPR information condensed into 10 bullets:

  1. Don’t have a data breach of Personally Identifiable Information (PII)!
  2. Notify the required individuals and data protection agency of any breach within 72 hours of your becoming aware of such breach.
  3. When requested by an EU citizen, remove all personal data within 30 days.
  4. When requested by an EU citizen, within 30 days provide all personal data and information on how that personal data has been used.
  5. Relate (and document) the collection and processing of personal data to specific purposes.
  6. Positively verify that someone is of legal age to provide the required permissions for the collection and use of their personal data.
  7. Know where all personal data resides (keep records of everything).
  8. Design all systems with appropriate and demonstrable security and data governance processes.
  9. Expand privacy accountability and liability to all third parties in your ecosystem.
  10. Penalties can be up to 4% of global revenue or €20,000,000 (whichever is higher).

It’s no longer about just ‘not having a data breach’, it’s also about what the business is expected to do after a breach occurs.

So with all of these requirements and the potential impacts, the question that we often get is whether or not Control-M is GDPR compliant?

In short, there’s no such thing as an officially certified GDPR vendor. The answer is that no software product can be GDPR compliant, only companies can accomplish GDPR compliance through their actions, processes and implementation of solutions. There’s no such thing as GDPR certification for a product.

  • An enterprise is the data controller, and when it implements a software package, the enterprise still has to comply with GDPR.
  • The liability of the data processor – meaning the one who processes the personal data in any manner, on behalf of and under the direction of the data controller – is now broader than ever before.
  • The question when evaluating software is whether it supports compliance to the GDPR requirements – from ‘privacy-by-design’ to ‘state-of-the-art’ to the concrete requirements of helping to maintain personal data privacy.

The right question therefore is “Does Control-M help your organization to fulfill the GDPR requirements?”

The answer is “Yes”. Let’s then talk about how Control-M can help an enterprise to establish the right process to meet GDPR rules. Control-M helps to:

  1. Automate processes across all parts of the infrastructure to support the implementation of the Right to Be Forgotten, the Right to Access, Data Portability, and Notification requirements.
    • Reduce costs, reduce human error, and reduce time to complete
    • Integrate into the Service Request ticketing system for full auditing
  2. Provide alerts and notifications.
    • Report Data breaches within an enforced SLA
    • Notify if there has been any problem with a job related to customer data
  3. Control-M Archiving provides the evidence of required processes to auditors in an easy to understand view.
    • Keeps a record of what and when was executed and also who took any actions (order, cancel, modify, etc.) on them
    • Contributes towards Privacy by Design
  4. Automate the audit / compliance reporting process.
    • Use Control-M Self Service and Mobile interfaces to reduce time to respond to audits
    • Reduce costs of audit process
  5. Ensure highly secured and controlled file transfers with Control-M Managed File Transfer.
    • Securely manage file transfers destinations within and outside the organization
    • Track any file transfer
    • Ensure compliance with successful file transfers that help ensure data integrity
    • Enhances security with encryption options and authentication
  6. Provide data lineage by tracking and evidencing data lineage of all activities into a data lineage platform (e.g. Into Hadoop or into Splunk – or whichever platform you have).
    • Meets compliance requirement for knowing where customer data is, and is not, used.
    • Reduced costs of compliance, especially for customers already using Control-M.
  7. Integration into Service Request and Change Management tools (for tracking, approval, problem handling, etc.).

GDPR is all about the workflow:

“Ensure ongoing confidentiality, integrity, availability, and resiliency of customers’ personal data”

By Daniel Swann