Are You Preparing for GDPR?

Learn about the tools available within your OpenEdge application to consider as you address certain GDPR requirements.

The European Union’s General Data Protection Regulation (GDPR) goes into effect on 25 May 2018 and will have a significant impact on many businesses. While we can’t ensure your GDPR compliance, we’re sharing information about the tools available within your OpenEdge application to consider as you address certain GDPR requirements. ISVs should bear in mind that many companies will be seeking solutions that help them address the requirements of the GDPR when buying or renewing IT products and services.

GDPR Requirements

GDPR aims to enhance privacy and strengthen data protection rights of EU citizens by requiring companies to take appropriate measures to secure personal data that they collect, process and/or store. Under the GDPR, personal data means any information relating to an “identified or identifiable natural person.” Some characterize the GDPR as legislation of what might be considered commonsense data practices, including:

• Minimizing personal data collection
• Deleting personal data when it is no longer necessary
• Restricting data access to a “need to know” basis
• Securing data throughout its entire lifecycle

The GDPR expands the rights of the individual, including the rights of rectification, data portability and erasure:

• Rectification means that an organization must correct inaccurate personal data without undue delay
• Data Portability means that an organization must provide information to an individual or to another organization in a format that is easy for them to access and review
• Erasure is the right of an individual to have their personal information deleted without undue delay when certain conditions exist

Organizations Affected

The GDPR isn’t exclusive to businesses based in the European Union. It applies to any organization that collects, processes and/or stores personal data of EU citizens, regardless of where that organization is geographically located.

Depending on the nature of the violation, fines associated with non-compliance can reach €20 million or four percent of annual global turnover, whichever is greater.

Considering GDPR as it Relates to Your OpenEdge Environment

The first step in an organization’s GDPR journey should be to ensure that a systematic approach is in place to assess the organization’s current technology. The April 2017 Forrester report, “Five Milestones to GDPR Success” can help identify key milestones to achieve before the GDPR deadline.

Some questions to ask are:

• What are your existing processes for collecting, processing and/or storing personal data?
• Are your processes automated and can they be easily modified to respond to consumer requests or changing regulations?
• What information can be saved and to where?
• How do I ensure that information is readily and easily available to respond to consumer requests for review?

OpenEdge features and functionality to consider as you assess your GDPR compliance efforts:

Managing Data

• OpenEdge RDBMS Advanced Enterprise Edition—This contains several tools that will help manage the personal data that you collect, process and/or store.
• OpenEdge Change Data Capture (CDC)—Introduced with OpenEdge 11.7, CDC allows you to identify, track, and save data changes within the OpenEdge database. It then allows you to extract and transform that information so that you can accurately synchronize it with other data sources.
• OpenEdge Multi-Tenant Tables—A multi-tenant database provides database support to separate and distinguish groups of users. Especially helpful when deploying SaaS applications that collect, process and/or store data for your customer in the cloud, multi-tenant tables can help ensure that you can keep data physically separate and secure.
• OpenEdge Replication—OpenEdge Replication provides a set of tools and procedures to protect installations from potential outages by replicating a primary database to one or more remote, hot-standby destinations. Full integrity between the source and remote databases is ensured. OpenEdge Replication is completely transparent to the applications running on the platform, supporting high availability, and eliminating a single point of failure.

Privacy by Design and by Default

Privacy by Design and Privacy by Default are fundamental requirements of the GDPR and require that organizations implement appropriate technical and organizational measures designed to protect data.

• OpenEdge Business Process Management gives you the knowledge needed to make informed decisions, so you can execute process improvements that optimize your business. The Progress Corticon business rules engine allows you to create rules and automate them outside the application, without coding, allowing you to easily modify the business rules you’ve established.

  Information Security

  Securing personal data is one of the “common sense” protocols alluded to earlier—ensuring data security at rest, maintaining security protocols and data access authentication and authorization.

• Encryption of Data at Rest—The OpenEdge RDBMS Advanced Enterprise Edition can help you protect personal data with the inclusion of OpenEdge Transparent Data Encryption (TDE), which encrypts all or part of your database while at rest without requiring changes to the application.
• Maintaining Security Protocols—OpenEdge 11.7 provides security updates to the entire platform by supporting the latest versions of SSL/TLS protocols. These protocols aim to secure data while it passes between different application components. For more information, read  SSL/TLS Communication in Progress OpenEdge.
• Data Access Authentication and Authorization—OpenEdge 11.7 includes enhancements to help you secure personal data that is collected, processed and/or stored based on current industry standards, helping you to minimize vulnerabilities that are amplified by legacy technology.
• OpenEdge Authentication Gateway—This is a key component of a centralized authentication and authorization service for database access, providing trusted identity management by ensuring only the right people get the right access to the appropriate information, hardening the security of your OpenEdge application environment.

Crafting an Action Plan

GDPR is a significant and far-reaching change to EU privacy regulations, and it’s recommended that organizations take steps to avoid potential costly repercussions. Those steps include:

• Consulting with your legal team to determine the implications of GDPR to your business
• Conducting a gap analysis of your technology, including your OpenEdge application
• Determining where your OpenEdge app might require upgrades to address GDPR requirements

Resources

• Progress whitepaper, Are You Preparing for GDPR
• The European Union GDPR website
• Your Progress Account Manager