Shields up! Securing the mainframe for the EU-US Privacy Shield
To protect your customers’ data, think like the commander of the USS Enterprise.
When we think of the term “shields”, many of us, especially the Trekkies amongst us, will think of 23rd and 24th century technologies such as starships, space stations and planets with limited protection against damage.
However, in our 21st century world, that’s light years away from the Star Trek fictional universe. “Shields” in today’s IT world often refer to security and/or privacy. One shield getting a lot of attention recently from Chief Security Officers is the EU-US Privacy Shield, which was adopted in July this year.
The Privacy Shield imposes stronger obligations on US companies to protect European citizens’ personal data. It replaces the previous Safe Harbor framework which the European Court of Justice effectively invalidated. Before October 2015, the US-EU Safe Harbor arrangement provided a mechanism for companies to transfer data from the EU to the United States.
The Privacy Shield provides a method for global companies to comply with EU data protection requirements when transferring personal data between the EU and the US. It includes, for the first time, written commitments and assurance regarding access to data by public authorities.
In particular, the ‘notice’ principle requires that individuals be provided information about an organization’s participation in the arrangement, the types of personal data being collected, the purposes for which the data will be processed and with whom the personal data will be shared.
Another key principle – the ‘choice’ principle – requires companies to offer individuals the opportunity to choose whether their personal data will be disclosed to a third party or used for a purpose that is different from the purpose for which such personal data was originally collected or subsequently authorized.
The Privacy Shield will be unavoidable for most mainframe customers looking to access the global market place. For most companies, these requirements will mean updated privacy policies in dealings with customers and employees. This has implications for systems of record, including industries such as banking, telecoms and travel, which often hold sensitive information about customers.
Another key development is the new EU General Data Protection Regulation (GDPR), this applies to any company that handles EU citizens’ data anywhere in the world and it also significantly extends the definition of ‘personal data’ to include anything that can identify an individual. This includes pictures, IP addresses, biological, economic or social information.
Compliance with GDPR isn’t optional: penalties for non-compliance can reach up to €20m or fines of up to four percent of annual turnover.
While companies previously certified under the Safe Harbor framework should already be complying with many of the Privacy Shield requirements, investing time and resources in Privacy Shield certification will be an unavoidable cost of doing business in a global marketplace. Companies must implement technical mechanisms so that data subjects may be informed and, in certain circumstances, given the opportunity to opt out of uses of their personal data.
In addition, contracts with third party data processors will need to be reviewed to ensure that personal data will only be processed in a manner consistent with the basis on which the data was collected in the first place and the level of protection required by the Privacy Shield.
The enterprise tools being used to address security needs tend to be geared for distributed systems and endpoint devices running Windows, Linux, Apple Macintosh and iOS, and Google Android, but not so much for mainframe systems. Organizations rely on IBM mainframes running z/OS, z/VM, and even z/VSE, as well as other operating systems, as mainframes store up to 80 percent of an organization’s data. Most often, this data is sensitive in nature such as customer records, billing records, etc. What’s worse, is that many organizations have little knowledge what data is where and how it’s being handled.
Fortunately, CA is the first in the industry to offer a tool to help businesses understand mainframe data risks associated with GDPR and Privacy Shield. CA Data Content Discovery (CA DCD) executes scans solely on the mainframe, without any dependence on enterprise infrastructures, to find sensitive and regulated data, and then classifies the data based on its sensitivity level so that users can review its security and/or determine to encrypt, archive or delete the data.
This solution is based around CA’s ‘Find, Classify & Protect’ model, which gives customers more control of their sensitive mainframe data. Here’s how it works in practice:
For more on CA Data Content Discovery and how it can help your business stay on top of regulatory requirements, please see product details here.
After all, if your IT department doesn’t have to worry about knowing when to put the shields up because there are systems in place, there’s no limits to your business going boldly where no business has ever gone before.