As more and more regulations around the world have started requiring data protection, organizations have been pressed to find a good solution – not just for protecting their data, but for proving it to regulators. In the European Union (EU), one such regulation is the General Data Protection Regulation (GDPR). This regulation goes into effect on May 25, 2018. In this post, we'll take a look at how SAS can help with your efforts to address GDPR requirements and other regulations.
Some background about GDPR requirements
The GDPR is intended to strengthen and unify data protection for individuals in the EU. It also addresses the export of personal data outside of the EU. Its primary objectives are to give citizens back control of their personal data, and to simplify the regulatory environment for international businesses by unifying the regulation across the European Union.
In certain situations, the GDPR will impose strict penalties for data breaches and other types of noncompliance. As many organizations have noted, the following sanctions could be imposed:
- A written warning in cases of first and unintentional instances of noncompliance.
- Periodic data protection audits.
- Fines that could range up to US$22 million or 4% of the organization's annual global turnover of the preceding financial year (whichever is greater).
Personal data and the GDPR
GDPR requirements focus on personal data (also known as personally identifiable information, or PII). This includes any data that allows for the identification of an individual, directly or indirectly. A variety of factors that can identify a person – name, address, social security number, IP address or location data, for example – are covered. To ensure personal data protection, organizations need to know where all of their personal data is located and exactly how it's used. And they must secure it appropriately. From a data privacy point of view, this entails looking at your data starting with product development, then moving through the supply chain and on to the customer.
SAS Federation Server and the GDPR
One of the GDPR requirements is that organizations must know (and be able to prove) who has requested data queries on personal data – and when. SAS Federation Server, a component of SAS for Personal Data Protection, has capabilities to help access, identify, protect and monitor (or “audit”) the personal data you process and store. Other SAS Data Management solutions (like SAS Data Governance and SAS Data Quality) can also help protect personal data and store policies related to acceptable data usage. Let’s look at these capabilities in more detail.
Organizations need access to all of their data no matter where it lives. But due to the sheer volume and velocity of data – particularly big data – the option to move and remodel data is often not a practical method of access. Through data virtualization or data federation, you can reference and orchestrate data sources without copying or moving the data, allowing you to process the data in place (where it lives). This reduces the amount of data transferred and improves governance.
In keeping with GDPR regulations, SAS Federation Server provides centralized and role-based access to sensitive data. Its state-of-the-art security and data masking capabilities include hashing, randomization and encryption. It also provides on-demand data quality to make it easier to identify personal data if it's not immediately apparent. You can even implement a data investigation hub, adding systems to the hub that your compliance department has targeted for personal data investigation.
The process of identifying personal data across your organization can be daunting and time-consuming. A huge time-saver is SAS Quality Knowledge Base, which includes prepackaged logic and rules such as identification analysis, standardization and pattern matching. You can use this logic in conjunction with SAS Federation Server (and other SAS Data Management tools) to help speed and simplify the process of personal data identification.
Personal data protection revolves around authentication, authorization and security auditing (and monitoring) of users who access personal data. Protecting data means that you never compromise the identity of the people you process and store information about when you conduct analysis, forecasting, querying and reporting activities. The security framework in SAS Federation Server offers easy methods to mask and encrypt content in SAS tables and other types of data sources. You can add column-level and row-level security to them as well. If you use SAS tables for analytical purposes, or combined with data from other systems, SAS Federation Server provides a unified way of protecting personal data – regardless of its source.
Auditing (or “monitoring”) is about logging and monitoring the usage of personal data to demonstrate compliance with privacy controls. It's also about analyzing and reporting to prove that personal data is not at risk.
SAS Federation Server allows you to audit data access with the level of control you need for GDPR compliance. SQL logging allows you to view SQL statements submitted to SAS Federation Server. SQL statements can be combined with other information, too – for example, the user ID of the person who submitted the SQL, as well as information about prepare, execute and cursor phases. Metrics are available, such as elapsed time, number of rows fetched, and the size of data fetched or inserted.
SAS: Helping protect personal data, and more
Bringing analytics techniques directly to the data can help you derive value from all your data, wherever it lives. This includes big data environments that consist of many nodes in a cluster. With SAS Personal Data Protection and SAS Federation Server, you can analyze, cleanse and derive value from all of your data while protecting it – so you can address GDPR requirements and more while reducing risk across the entire organization.Learn more about how SAS can help you prepare for the General Data Protection Regulation