GDPR: Privacy must be designed in to every system, says Chef
Chef encourages IT leaders to automate GDPR automation, and break the cycle of ensuring compliance at the time of every audit, and forgetting about it the rest of the time
Privacy must be built in to every system by design, and auditing should be an automatic, continual process, rather than something that's only performed when required by regulation.
That's according to Joe Gardiner, senior solutions architect at Chef, speaking at Computing's recent DevOps Summit held in central London.
Gardiner explained that the impending General Data Protection Regulation (GDPR) from the EU, makes these concepts more urgent, with the fines for non-compliance about to grow significantly.
"The idea of privacy by design is especially relevant for IT organisations today," said Gardiner. "How do we make sure that every system we build has this idea of data privacy at its core? It should be built in at the design stage of the system. We need to ensure that data privacy is at the core of every system we build," he added.
Earlier at the summit, a panel debated whether GDPR mandates that all data should be deleted once used for the purpose for which it was gathered, or if researchers could still use data for new purposes in future.
Gardiner argued that there are three main considerations.
"The first is to understand your security stance. The audit cycle for every regulation is that you usually pull all the information together and ensure compliance every three to six months. Betwen audits the awareness of the security state of systems nosedives, we have no idea.
"What about continuous auditing? There, you move away from this lumpy process between spending lots of effort to prepare, then having no idea."
The second consideration, he explained, is around the trade-off between the desire to move quickly, to be competitive, to ship applications and generally build awesome products, and having an infosec organisation.
"Infosec's agenda is very different. They want to reduce risk, but change introduces risk. So how do you find that balance?" he asked.
The third consideration, according to Gardiner, is finding the balance between flexibility of tooling and efficiency.
"Lots of tools require you to do it all yourself. That way you get outcomes which reflect the needs of the business, but you have to invest time in building and maintaining those tools. So how can you get something more easily which is still flexible?"
The answer, according to Chef, is at least in part its open source project InSpec. InSpec helps organisations automate things like GDPR compliance.
"InSpec defines in easy language the compliance checks you need to carry out on your systems. We shouldn't be reinventing the wheel for GDPR auditing, it should integrate with everything else we do. InSpec adds that auditing layer," he explained.