GDPR and POSIA™, not just DPIA anymore. This should be a new acronym for you as I just created it to identify an important GDPR process. It stands for Point-Of-Sale Impact Assessment.

GDPR and POSIA™, not just DPIA anymore. This should be a new acronym for you as I just created it to identify an important GDPR process. It stands for Point-Of-Sale Impact Assessment. The most difficult hurdle in becoming GDPR compliant is to keep your main revenue generating applications functioning while the data used by your Point of Sale and Customer Service applications remains encrypted. How can a company survive if they can’t take orders, or satisfy their customer’s needs?  GDPR experts have suggested that the first task to complete is a Data Protection Impact Assessment (DPIA), which identifies the location of exposed personal data in your data environment, and I totally agree.  If you are audited, this will be one of the first things regulators will ask to see.  I am suggesting that your very next concern should be how to maintain the use of your revenue generating applications while planning for eventual use of encrypted data. I call this POSIA or Point Of Sale Impact Assessment.  How should you go about making and implementing this plan?

Prior to POSIA, companies might go through the following steps:

  1. Conduct a DPIA
  2. Prepare a Remediation Plan for encrypting personal data
  3. Realize the plan covers most forms of data at rest and the data they most often use
  4. Then realized the plan will make them unable to use their cash registers to accept store purchases, process on-line or phone orders from customers, intelligently discuss a customer’s issues or provide them with services.
  5. Also realize Data Scientists, Data Management and Data Analysts will not be able to deliver marketing results, Artificial Intelligence, Predictive Analytics or most any form of Analytics.
  6. Temporary work stoppage (while personal data stays exposed), considerable reconsideration and modification and enhancement to the Architecture and Project plan.

What Companies eventually realize is complying with GDPR could put them out of business. They need to either, find a way to continue using their data assets while their data remains encrypted, or just abandon GDPR. If a competing company does discover how to use encrypted data, how long will it be before that company’s profits and market share strongly increase as a result of receiving no regulatory fines or suffering damaging intrusions. It appears the path to success is using your data while it remains encrypted and understanding the process to go through to make that happen. I call this process POSIA.

POSIA’s Primary Considerations:

  1. Identify all Applications that utilize customer’s personal data. Data fields that should be encrypted to reach GDPR compliance. The use of the DPIA and its generated Metadata Catalog should be very beneficial in this phase.
  2. Identify which of these third party applications lend themselves to using API’s at identified ‘exit points’ or are home-grown applications where exit points can be controlled or built. The APIs will do the work of decrypting and re-encrypting data fields, one customer or grouping at a time, so that the application can continue to function, and only minimal customers will have data decrypted at one time.
  3. Identify which of these applications do not have obvious exit points available for insertion of APIs. These are your major obstacles that must be addressed.
    1. Which programs are built in-house?
      1. Are they modifiable, can they be re-written or can new products be purchased?
        • If the above cannot be delivered can the BigDataRevealed POS API Front-Run the application with a simple graphical interface to be executed and return the necessary data in the proper decrypted format.
      2. Which applications were purchased from vendors?
        1. Are you current on maintenance if available?
        2. Are they in business?
  • Do they offer new technology to utilize APIs or access encrypted data?
    • If the above cannot be delivered can the BigDataRevealed POS API Front-Run the application with a simple graphical interface to be executed and return the necessary data in the proper decrypted format.
  1. Discover, research and test all these legacy operational systems for daily, weekly, monthly, annual and other possible time frames for unexpected errors that might arise only during these special time periods.

A POSIA is the high-level plan that will be used to direct the detailed analysis, development and testing efforts of many teams of technologists.

Special knowledge and skill will be required to ensure that Encryption/Decryption keys are securely controlled and that the APIs are appropriate for the data sources used.

Other important considerations for GDPR and General Regulatory Compliance of Citizens Personal Data:

  1. Encrypt/Protect Personally Identifiable Information. (In my opinion, this has to be the central component of GDPR Compliance with all of the companies data assets centralized in one Big Data File System for GDPR Compliance to be successful). Yet what does it take to be compliant. Names, Addresses, Birth Dates, Credit Card Numbers, Emails, Social Security Numbers, National, ID’s, etc. are obviously fields that can be exploited by hackers and need to be encrypted or otherwise made anonymous.
  • Run an initial and periodic Data Protection Impact Assessments and create Metadata Catalogs to become aware, store and share the locations of suspected Customers Personal exposed Data.
  • To be compliant these Personal Identifiers & more must be protected everywhere in a company’s data environment; including office documents, PDFs, emails etc.
  • How often does a company run Discovery if non-encrypted personal data has been re-included into their environment? Companies constantly add data from many sources which should be processed before its included in a company’s data environment. Sources such as IoT, Social Media and Third-Party sources. Protecting Personal Data is a 24/7/365 effort, not a once every quarter process.
  • How often does a company de-crypt personal data to perform Marketing, AI & Business analytics? Do they use an environment that is Off the Grid for this purpose so that hackers can’t hijack the process or steal data while the process is running?
  1. Consent Processing.
  • Does a company clearly state how the personal data collected by them will be used?
  • Cookies are not valid consent!
  • Does the Consent process allow interaction between the company and the citizen, bilateral communication and the ability for the citizen to qualify their consent; such as use this email account only, or this phone number only in dialog boxes or documents.
  • Does the Consent Process allow the citizen to change their mind at any time?
  • Does the Consent Process protect the data collected from citizens from mis-use by others?
  1. Right of Erasure.
  • How can a company find all the information associated with a single individual? Imagine all the disparate sources a company would need to interrogate; Business Applications, Legacy systems, Documents, PDFs, emails, XML documents, many types of unstructured data. The list would be very long indeed. If a company has no Central Repository for data, I find it nearly impossible to believe they have a process to grant a citizen their Right of Erasure.
  • Can a company explain when processing a citizen’s Right of Erasure which types of data can be deleted and which must only be encrypted or sequestered as it might be subject to legal recall.

Indirect Identifiers.

  1. They are seldom discussed because companies have such great difficulty discovering them in their environment. Indirect Identifiers can be comprised of multiple data fields found separately across many different files. What process would a company use to bring those fields together for remediation? Without a central repository to bring together all a company’s disparate data I believe it would be extremely difficult and improbable to identify these indirect identifiers.
  2. The process for discovery requires logically connecting multiple files by a variety of fields; in effect generating logical views of many different files, on many different operating systems and platforms. If a company doesn’t articulate their efforts to link disparate files, then most certainly they are not accurately discovering Indirect Identifiers.
  3. A reporting system in place when Customer Personal Data has been hacked to inform various Regulatory agencies requiring notification.

I would be pleased to assist any company reach more complete compliance by sharing my expertise, my experience with methodologies, product/project management agile styles, technology stacks and frameworks that have promise in this battle with and against exposed Citizens personal data. True GDPR Compliance as a quick deliverable is improbable to impossible with the shortage of GDPR, Data management and security personnel. Ad to this the limited amount of software technologies and the fact they are smaller companies in nature, do not have the bandwidth even if every company in the world wanted to subscribe to their technologies. Steve 847-791-7838 Point-Of-Sale          Amazon AWS AMI I Designed, Architected





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s