GDPR & Business Applications

This paper summarizes how GDPR impacts business applications and explains how Visual Guard simplifies GDPR compliance.

I. How is GDPR impacting your Applications?

You may have heard of GDPR, but you don’t know whether or not your
applications are impacted. Do they have to be modified? If so, how?

Did you know that GDPR may apply to non-European organizations?
Or that user consent is not always required?

You will find below some answers to these questions.

1.1 What is GDPR?

The General Data Protection Regulation (GDPR) is a European regulation, enforceable from 25 May 2018, aiming at protecting personal data for all EU citizens.

Sanctions for non-compliance can go up to 20 million € or 4% of your organization’s annual revenue.

1.2 Does GDPR apply to your application(s)?

Your application(s) should comply with GDPR if:

  • Your organization is based in the EU, or
  • If your application(s) process data from EU residents.

Note: Application owners are responsible for implementing data protection measures and demonstrating their GDPR compliance, even if the production of their applications is outsourced to another company (for instance a cloud provider, hosting them in production) - see Recital 74.

1.3 Which data is concerned?

Any personal, professional, private or public information, related to an individual (name, address, photo, email, financial details, medical information, blog entry…).

1.4 Is user consent always required?

Not necessarily.

By default, user consent is required, unless processing his personal data is necessary for legal reasons.

For instance:

  • The performance of a contract to which the user is party (employment contract for an employee, commercial contract for a client, etc.).
  • Compliance with a legal obligation to which your organization is subject to.
  • Protecting the vital interests of the user or another person (for instance, communicating personal data to a third party for safety/rescue reasons).
  • The performance of a task carried out in the public interest (police for instance) or the exercise of official authority vested in your organization.
  • etc.

1.5 What are your obligations under the GDPR?

Application owners should comply with the following requirements:

  • Design: for better protection, you should design and implement data protection measures together with the design and development of your application(s) (Article 25).
    See below: "Design data protection and application together"
  • Data access control: you should implement mechanisms to ensure that personal data is only processed by authorized personnel, and only when necessary (Article 25).
    This implies:
    1.  A secured mechanism should control the identity of personnel accessing data.
    2. A control mechanism should restrict access to data according to each personnel authorizations.
    See below: "Control Access to personal data"
  • Log and Audit: you should maintain records of processing activities for all personal data. These records must be made available to supervisory authorities on request (Article 30). 
    See below: "Record and Audit sensitive activities".
  • Data breaches: in case of a data breach, you are under a legal obligation to notify the Authorities within 72 hours after having become aware of it (Article 33). All the persons impacted by this breach must also be identified and notified (Article 34).
    See below: "Detect and Report data breaches."
  • User consent & access: should you request user consent, it must be explicit (opt-in) and easy to withdraw. You should explain which personal data is processed and how. You should indicate their retention time, and providing contact information to access, modify, erase or transfer their data to another system if they wish to.

II. GDPR and Visual Guard

This chapter explains how Visual Guard will help
make your applications GDPR compliant

2.1 What is Visual Guard?

Visual Guard adds security features inside your applications.

As a result, you can:

  • Control the identity of users accessing your applications (Authentication),
  • Restrict their access to certain data,
  • Keep track, monitor, and audit sensitive activities within your applications
  • Send automatic notifications when important events or activities occur.
  • Detect and report data breaches

The alternative to Visual Guard is the development of custom security code within each application. More expensive because software developers must reinvent the wheel for each development languages used in your organization. Less secured since developers are not security experts, and cannot anticipate all possible issues.

Visual Guard supports all types of application (desktop, web, mobile, SaaS...), all development language (Java, .Net, PHP…) off-the-shelf. It complies with most security, architectures and network requirements.

2.2 Verify the identity of the user

In order to control access to data, you must verify that users are who they claim to be.

Visual Guard supports several authentication strategies:

  1. Reuse Windows Accounts (Active Directory)
    - for instance for internal users
  2. Manage username/password accounts
    - for instance for external users / public
  3. For high-security systems, passwords do not provide sufficient protection.
    In that case, Visual Guard offers strong (multi-factor) authentication mechanisms.

You can combine several types of authentication within the same system.

For instance:

  • Windows account for employees/internal users
  • Username/password account for external users
Multi-factor Authentication

2.3 Control Access to your data

Visual Guard controls which personnel is authorized to view or edit sensitive data.

  • Fine grain authorizations: you define a separate authorization for each data. As a result, authorized personnel can only process certain data, and only when necessary. Authorizations can also control the type of processing activities allowed.
  • A single authorization can impact several applications, no matter their development languages. Thus, you can propagate consistent authorizations across all applications (for instance, the right to view the address of a client should be granted/revoked to the same personnel(s), at the same time, for all the applications processing this info).
Managing Users Authorizations
  • Authorizations are managed with an administration console, independent from your applications. It does not require any technical skill, and let you delegate daily security management to the most suitable personnel - for instance, a business manager managing access rights for his team members.
  • If needed, you can create new authorizations without touching your code. Pick an application object and select how Visual Guard will change them to enforce the new authorizations. For instance, Visual Guard can hide certain fields, when users cannot view certain data.
    As a result, you can patch your security on the fly. If you discover a security breach affecting applications in productions, you can address it immediately, without waiting for the usual dev>test>deployment cycle.

2.4 Record and Audit sensitive activities

  • Record user activities processing sensitive data: personal, banking or other.
  • Keep track of administrator operations: user created, authorizations granted, etc.
  • Review sensitive activities from various angles:
    1. Audit a given personnel: check his activities and authorizations
    2. Audit an application: which data were processed? When? By whom?
    3. Etc.
GDPR Audit Sensitive Activities

2.5 Send notifications when certain activities are detected

Alert administrators, controllers or managers when certain events occur:

  • Business operations (users processing certain sensitive data for example)
  • Security operations (administrators granting certain authorizations for instance)
Security Alerts and Notifications

2.6 Monitoring & Reporting

Monitor sensitives activities in real-time:

Access to certain data, execution of certain business transactions, trigger of certain security events, etc.

Select certain activities and follow their evolutions - for instance, active connections to your application - or detect possible issues - for example, financial transactions processed at unusual times...

Real-Time Monitoring - GDPR

Generate historical graphs:

  • Analyze business trends
  • Detect possible issues - for instance unexpected volumes of operations...

Note: recording and auditing are transversal to all applications:

  • Activities from all applications are logged in a central repository.
  • No need to review each system separately.
  • Controllers get an instant and comprehensive vision of all applications.

2.7 Detect data breaches and report them:

Visual Guard helps detect data breaches:

  • Review sensitive activities with real-time and historical graphs.
  • Detect suspicious activities - for instance, data processed at unusual times, like nights or weekends, or unusually large amounts of data being accessed. Such activities may reveal data breaches - for example, data being illegally and massively copied.
  • Send email alerts to concerned personnel or authorities, to inform them of a possible breach.
  • Generate a comprehensive list of data illegally processed, by which user(s), from where, with a list of all the individuals impacted by the data breach.

2.8 Design application and data protection together

When using Visual Guard, the features enforcing data protection are designed and embedded inside your application, to guarantee comprehensive and robust protection.

How does it work?

Visual Guard Lifecylce

1. Development
Developers define permissions with the VG Console.
First, permissions are stored in a development repository.
Then, they are deployed in production with the VG Console

2. Administration
Administrators manage Users and Groups,
they grant them Permissions and Roles with a Web Console

3. Enforcement
Users log into the application and VG authenticates them.
Their permissions are loaded from the VG repository,
and applied to enforce Access Control rules.
Sensitive operations are logged in the VG Repository.
Any technology capable of calling web services is supported

4. Audit
Auditors use a web application to review user operations.
They can also control user roles and permissions across all applications.

Visual Guard Lifecycle

Go Further