GDPR panic? Standards to the rescue!

– By Anders Kingstedt, CEO, Mjukvarukraft

We’re just a day away from the day with capital G, the day when the General Data Protection Regulation (GDPR) comes into effect. No one can’t escape the veritable avalanche of messages, e-mails, communications and TV broadcasts flowing over us collectively over the last couple of months. All around Europe (and elsewhere in the world for that matter), organizations are scrambling to make the necessary adjustments in order to be compliant with the GDRP. And, yes, quite a few organizations are most likely still trying to get a grip on what in fact needs to do be done…

At Mjukvarukraft we’re in the favorable position of not having to process large amounts of personal data (phew!).  We’ve also had a chance to learn about the GDPR early on and more importantly to build support for the GDPR thanks to several client projects we’re involved in. So. We believe that ”we got it” (however that is defined…).

A late realization: there are quite a few ISO/IEC standards that can be really helpful for organizations that have (or plan to have) a significant Cloud presence. To give you an example: take a look at ISO/IEC 19944. The objective with this standard is ”to provide guidance about how data is used in a cloud computing ecosystem, providing transparency to all stakeholders”. ISO/IEC 19944 describes…”foundational concepts, including a data taxonomy and use statement structure”. ISO/IEC 19944 ”proposes a scheme for the structure of data use statements to understand and protect the privacy and confidentiality of data through increased transparency of policies and practices”.

Now. Any takers so far? The trigger words here are ”/data/ use statement”, ”protect the privacy” and ”increased transparency of policies”.

Let me explain: ”data use” involves defining the actual usage of data. Are you still with me? ISO/IEC 19944 is in other words extremely useful for organizations that need support in doing data classification, understanding data taxonomies and to come up with GDPR compliant data use statements.

Here’s a great example of how standards can be put into practical use: The German organization Fraunhofer Fokus has teamed up with Microsoft to create DUCK – ”Data Use Compliance Checker”. DUCK is an open source project that utilizes ISO/IEC 19944 to create a GDPR compliance checker. The ultimate function is to evaluate ”under what circumstances a set of data use statement complies with a given regulatory framework” (read: GDPR). More specifically, the DUCK project sets out to automate the compliance check of Article 6 of the GDPR (”Lawfulness of Processing”) as well as other related articles of the GDPR.

I won’t go in to the details of the DUCK Project, but in short, it relies on the ”Carnaeades argumentation system” (found at GitHub). It’s a configurable web based (and Cloud ready) system that uses Data use statement lists to check compliance against e.g. the GDPR. It supports several different languages and the project is published as Open Source. Check it out on GitHub following this link.

The attached picture shows how DUCK  can be used to determine whether a specific set of data is PII (personally identifiable information) and therefore needs to be handled according to the GDPR.

Yes. Standards really do matter and should be put into practical use!