by: VMware Senior Director, IT Applications Balaji Parthasarathy
To learn more about VMware IT’s GDPR strategy, read part 1 of this blog, “VMware IT Plays a Critical Role in GDPR Compliance.”
The European Union General Data Protection Regulation (GDPR) needs no introduction. It is too important to ignore due to its global outreach and massive fines. It aims to give citizens and residents of the European Union (EU) control over their personal data and applies to all organizations operating in the EU. This includes organizations outside the EU if they offer good or services in the EU (even if they are free), monitor behaviors, or store personal data. This regulation went into effect on May 25, 2018.
(For further information on GDPR, please visit the websites provided at the end of this blog.)
The big question VMware faced with GDPR was determining what was needed for an enterprise to comply. This introduced many challenging obligations to ensure alignment with compliance regulations. IT took a holistic approach to this challenge and broke down the GDPR project into various tracks. We wanted to ensure any solutions were scalable and continued to be relevant to changing compliance needs.
GDPR Plan: Areas of Focus
Our approach did not call for a big bang solution, but rather prioritizing tracks based on the critical systems from the GDPR perspective. Below are the six main tracks, starting with Consent, the most challenging and visible topic.
Consent
The idea of consent is stronger than in previous regulations. GDPR regulations now require consent to be requested explicitly by stating the clear reason for the visitor to provide the consent. Implied or ambiguous consent is no longer acceptable.
The most noticeable change is how organizations share data behind the scenes. Today, a person visiting a single website might have their data sent to different companies for analytics, advertising, and much more. Under GDPR, organizations have to explain why the data is needed and how it is being used. Sharing of data is considered non-compliant unless clearly consented to by the data subject. This means that organizations are asking for permission to use data more often.
Here are some of the questions we had to answer on the consent front:
- How do we make consent verbiage and banners consistent and standard across all forms and websites accepting consent?
- Should we have one central place for consent information which serves as a single source of truth?
- What is the plan on converting legacy consent data, whether they are SaaS (CRM, email marketing), custom, or non-IT managed?
- What solution should we implement for the collection and use of cookies in compliance with GDPR or other applicable laws?
- What is the impact on existing software integrations and plans for regression testing?
- Do we need a user interface (UI) for the support team to read and update the consent on request?
We started by understanding the architecture and landscape of our systems. Then we proposed consent categories to be shown on the web pages to keep them consistent. This approach would enable us to scale for the future as well as be prepared for any compliance-related changes in the future. The table provides examples of the categories we considered in each consent category:
We choose to use Person Manager (PM), the main data for contacts, as the single source of consent information. The solution was designed with an API-based architecture and systems integration with PM were prioritized. All the boundary systems that collected consent were integrated with PM in real time or near real time (batch) to keep the consent information harmonized. This is highly technical work and we had to adjust the project plan to account for the time required.
One important consideration is the impact on Integrations if there is no single source for consent. For example, if system A is sending contact and consent information to system B, under the new process, system A would send to the PM, not system B. When integrating all the boundary systems to PM, tracking these relationships was necessary as the scope could quickly grow out of control.
For the consent data conversion track, we considered how far back the data needed to be extracted and the filter criteria to be applied. For example, we decided to bring in all active data from the last two years. This was an important exercise because we had to ensure we had all the data we needed. Also, the cutover had to be carefully planned and managed.
Cookie consent is another important area and subject to further clarification with new upcoming laws. Simple “accept cookies” banners are no longer acceptable on websites using cookies. The compliant cookie message should inform the visitor of the purpose of the cookie upfront and affects both first and third-party cookies. It also impacts form submissions, page tracking, video tracking, third-party tracking, pixel tracking, and personalization.
We implemented a custom technical cookie management solution that drops the cookie only if the end user is from the EU and has provided consent. The solution is highly configurable, scalable, and can accommodate any compliance changes from any country in the future. Our IT teams used scripting skills such as Java to effectively implement the solution.
When looking at cookie consent, IT had to:
- Ensure the inventory of all sites/forms are documented to prioritize the cookie consent solution
- Enable consent opt-in and out-out that is site-specific
- Consider that consent on one browser is not applicable to another
- Remember that deleting cookies should force the consent banner again on the page
- Set consent acceptance cookies to be non-expiring
- Note that all tracking is conditionally based on the existence of a solution cookie on the user’s browser
System Remediation
One of the most important goals of this project was to come up with a list of systems that hold personally identifiable information (PII) and prioritize them to undergo assessments. We used security questionnaires to assess system compliance against applicable GDPR regulations and laws. In addition, the documentation of a set of technical control requirements was made available to system owners to test compliance. This exercise covered on-premises, cloud, and SaaS solutions. The questionnaire had questions (compliance controls) related to the following areas:
- Network, encryption, infrastructure, access management, and others. This helped to spot vulnerabilities and adhere to best practices.
- Compliance control, control priority, control owner name, and existing solutions to meet the desired objective. If there was no existing solution, a remediation action was proposed.
For example, we used the control, “Configure access for all accounts through a centralized point of authentication, for example, Workspace ONE, which uses Active Directory or LDAP.” All non-compliant systems were targeted for remediation, then tracked until the process was complete. All the remediation activities were tracked as a story to ensure compliance.
We quickly learned a couple of lessons:
- Each question should have an example if possible to provide clarity and context for teams
- Common controls for all on-premises applications should be called out ahead of time to avoid duplication of effort. For efficiency, we used our compliance tracking system to centrally store the system information.
Business Remediation
This track was used to implement changes to prioritized business processes and demonstrate GDPR compliance in the areas including and not limited to Marketing, HR, Sales, Support, and Finance. Some examples of affected business processes included:
- Identify all entry points for data collection and the VMware privacy policy at those points.
- Provide a default opt-out when collecting personal data through intake forms and web pages so individuals had control over their data.
- Addy GDPR-compliant footers on the sites with updated privacy policy globally. Also implement a records retention schedule for existing marketing databases, including local devices, in conjunction with the records management team.
- Develop and cascade training and awareness amongst employees by developing quick reference guides.
Privacy-Enhancing Tools (PET)
Technologies and processes in this track enable the VMware privacy office to discover, inventory, and map the flow of personal data across the enterprise. These tools capture business process activities and solutions to scan and discover PII from critical structured and unstructured databases. This data is helpful in answering questions on what personal data we keep and where. What are the tools?
These tools also enable VMware to comply with Article 30 of the GDPR (records of processing activity) and assist in data subject access rights (DSAR), such as data subject access requests, right to be forgotten, and data portability. We learned that we needed to regularly engage with business teams to better identify core business processes and prioritize the applications to be included in VMware’s record of processing activities.
Data Loss Prevention (DLP)
Data loss prevention is one of the key elements helping organizations ensure personal data is processed and stored appropriately. It prevents critical information from leaving without being monitored and prevents data from being released in an unsanctioned way.
At VMware, we implemented best-of-class tools to prevent data loss from all parts of our network, including endpoint, network, cloud applications, and the Microsoft O365 suite. Because this is an area where there could be false positives, we initially kept the solution in the monitoring phase. We are refining our policies over time to ensure alerts are appropriately generated. We worked closely with IT, Information Security, and Legal to identity requirements early in the design and implementation of DLP solutions.
Data Subject Access Rights
GDPR gives an individual the right to control his or her data. VMware has set up a formal email process to accept user requests about GDPR. In this way, the request is formal and trackable. The user request is reviewed by VMware’s Legal and Privacy teams and then channeled to appropriate teams for resolution. The process includes: reviewing the request for legitimacy, verifying the individual’s identity, clarifying the request, reviewing it against data retention policies, and addressing any other considerations. A privacy governance council or a governing body representing all major business units is available should the issue need to be escalated.
Data erasure is a very complicated task. We use PET data discovery tools to track objects and data that need to be deleted. In the beginning, this may be a manual process for companies that do not permanently delete data. It’s important to understand the downstream dependencies and impact when developing this policy. Data should be deleted and not end-dated.
Cross-Functional Project Team
The effort to comply with GDPR regulations requires collaboration and guidance from many teams. The Legal and Privacy teams provided guidance on changes, especially those related to web pages. The HR and Marketing teams played a pivotal role in compliance from the employee and customer perspective and offered innovative ideas to fulfill GDPR requirements. The cross-functional project team was highly motivated as this was an opportunity to learn how other business functions operate and brainstorm solutions to interesting use cases. Seems like this should be up at the beginning.
GDPR is Here
Making an organization fully GDPR compliant is an ongoing process as more countries look to adopt tighter data and privacy regulations. VMware prepared for the new regulations by taking the time to understand what was required, then responding with a comprehensive review and update of its core policies and procedures. Activity roadmaps demonstrate our commitment to GDPR compliance yet are flexible and scalable enough to address any future changes.
To learn more about VMware IT’s GDPR strategy, read part 1 of this blog, “VMware IT Plays a Critical Role in GDPR Compliance.”
Additional GDPR links:
Support Your Organization’s GDPR Initiatives by Securing the Digital Workspace
IT Management and the GDPR: The VMware Perspective
VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. Contact your sales rep or [email protected] to schedule a briefing on this topic. Visit the VMware on VMware microsite and follow us on Twitter.