Loading ...

GDPR compliance | IOA Knowledge Base Community

Posted in: All Community Discussions (Currently in BETA) » ASK THE IOA EXPERTS (BETA)

GDPR compliance

Subscribe to RSS
  • cwhite


    How are other customers preparing for GDPR compliance.  I have gone through the GDPR text and am constantly confused by its applicability to Non-EU organizations.  not looking for legal advice but given the ambiguity and inevitable need to adapt to whatever GDPR brings, I'm interested in the architecture approach. 

    Any insights on this topic will be incredibly helpful.


  • marekmoszynski


    Yes, the May 2018 deadline looms along with the impacts. Depending on your particular industry and circumstances, the game plan may vary.  At a high level, the ‘General Data Protection Regulation’ is about protecting personal data location, how it’s stored and controlled (see the EU's GDPR website). 

     Controls and accountability regulations are fairly granular to the country level. Because of this, you need to know where any personal data is stored, which may or may not exclude storing it in public cloud, depending on the location guarantees you can get from Public Cloud providers.  You may need a private storage that is collocated to make it easier for programs running in cloud to compute (not keep the data).  The colocation allows to lock the data down. Example -  if someone from the outside the country (cloud or internet) wants to access the data, they can’t because the policy controls are locally enforced.

    I hope this helps as a first pass, let me know if you want to dive deeper on a topic.

     · Snarkier likes this.
  • cwhite

    thanks for the reply.  What are the most common areas of risk and ways to address? can you point to specific docs or resources that explains/illustrates what you wrote? 

    thanks again

  • marekmoszynski


    Considering the content we have on IOAKB, I suggest taking a look at the Security and Data blueprints:

    Security Blueprint - the entire security blueprint is focused on creating a zero trust boundary and inspection zone at the digital edge, which is the interconnection control point for clouds, partners and user.

    • It shows incremental phases of layered enforcement and predictive analysis applied to all traffic flows to and from clouds, partners as well as corporate backbones and the internet
    • It uses securely stored policies to drive traffic segmentation by groups, roles or message types.
    • It uses on the wire deep packet inspection to analyze traffic according to policies and can store encrypted keys securely in the edge
    • It ensures that the edge is an extension of your data center; therefore you can store sensitive data in the edge where all required cloud applications can access that data without actually housing it.  The data access is fast and you have your choices of storage mechanisms at the edge

    Data Blueprint -the data blueprint assumes and therefore leverages the design patterns delineated in the security blueprint

    • Design Pattern 1 & 2 - emphasize localizing storage at the edge where requests to access that data are subject to an inspection zone,  but is accessible to any cloud based application with the proper credentials
    • Design Pattern 3- shows the same for streaming flows (e.g. IoT or customer PII data from Mobile applications). The advantage of this approach for GDPR is that data can be scrubbed or made anonymous before being sent to cloud based applications for deeper analysis
    • Design Pattern 4 & 5- follow the same principles of isolation and inspection when applied to selling data or transporting it to different regions

    Please let me know if you need more guidance on this content.  And best of luck with GDPR!

  • mattgeorge

    GDPR Compliance is applicable to any organisations that are processing EU Citizens Data irrespective if they are in the EU are not. Certain countries outside of the EU are covered by the 'Adequacy' clause which means they already have in place country specific legislation that complies with EU GDPR guidelines. These countries are: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland, Uruguay.

    Non -EU countries not on this list are classified as 'Third Countries' & will require separate contracts between themselves and organisations that are selected as Data Processors. Some info here but also check with your company's Data Protection officer or legal team for any derogation's


  • Snarkier

    Hello -  marekmoszynski excellent points.  I'd like to build upon the solid guidance Merek provided with some particular points  in the Security, Data and Application blueprints as they relate to addressing the challenges that GDPR poses  and the benefits that an IOA first strategy can bring

    • Application Blueprint – two design patterns can be used as tactics to support the GDPR requirements ( API Management  and Messaging). API management would leverage the secure boundary and policy based segmentations to allow legitimate users to access information via an API and messaging, alleviating the need to ever know where the data is. Strict policy adherence can be assured with the invocation of proper role based policy access. Illegal access and accidental leakage can be prevented with proper API and messaging tactics.

    • Security Blueprint- in particular the boundary control, inspection zone and policy enforcement design patterns. These 3 patterns create a secure boundary that is based upon a “trust nothing “ policy. All traffic from all directions is inspected for validity at the packet level and then segmented to the proper target based upon programmable policies that are held in the secure colocation facility. In addition the Security Analytics  and logging design pattern gathers information about potential evolving threats, which enables the boundary to learn and report as threats evolve

    • Data Blueprint- the data blueprint leverages the security blueprint and assumes an active policy based boundary control with inspection zones. The data blueprint augments this secure zone with the ability to store sensitive data in the digital edge, so that multiple cloud based applications can access that data without owning it. Any request by a cloud based application will be fast leveraging the cloud interconnection, yet secure. If cloud based apps need to exchange information through messaging, all those messages are subject to inspection and segmentation. Internet based applications that make requests through the colocation hub (the digital edge) will also be subjected to packet inspection and policy based routing.
    I have practiced pattern based design for over 20 years and am passionately curious about how technology affects our lives.
  • rorymurphy

    Good points here. 

    But also good to look at GDPR as a help to improve marketing in general too, or as Alan Coleman, CEO of Wolfgang Digital says ... 

      “GDPR is great for marketing ... The elephant in the room is this: most advertising is crap. We all know this to be true. GDPR forces brands to get more creative in how they deliver brand experiences that have their audience requesting more. Greater rewards for great marketing."


     · tpeluso likes this.
  • tpeluso

    rorymurphy  Thanks for sharing!  Agreed. The power of the consumer & user experience can't be underestimated (table stakes for digital).   

    Terri Peluso IOA Knowledge Base & Community Manager
  • Page 1 of 1 (8 items)