By David White, VP Technology Operations
Many businesses over the past several months have begun preparing for the GDPR (General Data Protection Regulation) regulations, the new rules passed by the EU to enhance digital protections for EU citizens. At Sentient, we have been going through our own GDPR readiness over the past 3 months to ensure that we meet all the necessary regulations to serve our customers throughout the EU and beyond when the regulation kicks in on May 25th, 2018.
As we have been going through this process, I wanted to share some key insights we have learned along the way that will not only help you understand some of the nuances of the regulation, but also understand how we are working to make sure we are GDPR compliant.
1. The GDPR explicitly defines IP Addresses as protected information
There are reasons why this does and doesn’t make sense. An IP address is somewhat akin to a phone number. It is a unique number by which a computer is known on a network or the internet. As with a phone number, calling a business does not necessarily get you to the person you wish to speak to–there may be additional numbers necessary to actually identify a person. Similarly, a single IP address may be used for an entire company. Each person in the company goes through a different IP address “for internal use only” that is then translated to the external IP address for the company (through NAT). This is similar to calling someone inside your own company by extension number, but being unable to call them with that number if you are remote. In these situations, a person cannot be uniquely identified by an IP address. For people accessing the internet from home, there may be a different technology in use that will change their IP address from time to time (DHCP). This means that the IP address you have today may not be the one you have tomorrow. Despite these frequent use cases, there may be situations where an IP address does uniquely identify a distinct individual. It is because of these situations, that all IP addresses fall under the category of protected information under the GDPR. Sentient will of course comply with this measure and treat all IP addresses as protected information.
2. The best way to “store” IP addresses is not to store them at all
Given the sensitivity around IP addresses, a variety of strategies are being adopted to help mitigate the risk associated with this protected information. Some have chosen to eliminate the last few digits of the IP address and are therefore still storing partial IP addresses in order to achieve compliance with this part of the regulation. While this may or not meet the letter of the law we have decided that it does not meet its spirit, as it is possible that even partial IP addresses will be considered protected information as it can be combined with other information to potentially identify an individual. As a result, Sentient Ascend will not store IP addresses at all for any of our EU customers. This will ensure that this piece of the regulation will not have any impact on our service delivery.
3. GDPR has the concept of anonymous and pseudonymous information
What this means is that if there is any way that combined information from any data sets can identify an individual—whether they are your own or from a 3rd party, then it is not anonymous. In other words, if it is possible to combine your data with some other piece of information, anywhere in the world, and identify an individual, it is not considered anonymous. The argument has even been made that the information necessary to “un-anonymize” data does not even need to really exist. If it theoretically could exist, that is sufficient to consider data to be pseudonymized, not anonymized. This has an impact on things like how to handle an IP address or other pieces of information that appear to be anonymized by just changing one thing about them. For something to be truly anonymous it means it must remain forever anonymous, with no way for it to ever be identified
4. Comprehensive auditing is the best way to understand what information you have that needs to be protected
This may seem obvious, but it is important that you perform a detailed audit to understand not just what you have, but why you have it, and what you will need to do to protect it. This is not only a requirement of GDPR, but also a good practice. Too often data gets saved “just in case”. This is seldom a good enough reason when it comes to potentially sensitive or protected information. So before you save sensitive data “just because”, be mindful of why you need it and what liabilities may come with it if it is stored.
5. You must comply with partner requests for information
Our partners may request an audit of our data handling practices. Also, they may request us to assist them in other GDPR compliance requirements – such as handling the individual rights requests of their customers (data deletion requests, etc.), Data Protection Impact Assessments, data inventories,etc. In the event a partner makes such a request, you must escalate quickly and be prepared to assist if required. Though these requests are not without limits, it is our practice to fully comply if possible. The standard reports on data, privacy levels, mitigation strategies, and action plans all must be transparent for customers, partners, and employees. Ultimately, it is this level of transparency that is the real key to GDPR.
Questions? Contact Us
Here at Sentient, we are fully committed to the adherence of the upcoming GDPR regulations and will take the necessary steps to prepare for it when it enacts on May 25th, 2018. If you are currently involved with Sentient or are thinking of joining our list of clients and want to know more about our compliance with GDPR, please contact us at GDPR@sentient.ai.