For single-purpose IT applications, a survey-based audit with business and IT stakeholders for GDPR compliance will get you a reliable enough GDPR Register.
For complex IT applications serving customers and internal users the manual approach will be too slow, expensive and dangerously incomplete. To get all the interactions between users, features and private data, you have to dig through the source code itself. Without automation, the IT Team will struggle to get the DPO an exhausive data processing inventory. The DPO will unwittingly work with business and legal based on incomplete data. That exposes the company to consumer breaches (security, misuse) and fines in case of incidents.
The CAST Application Intelligence Platform analyzes even the most beastly multi-purpose applications and builds an exhaustive inventory of all its features and how they process sensitive data. The DPO/IT Teams can then get systematic with their business consultants and lawyers to decide which processing needs to be modified, documented or enriched with consent. IT gets an actionable and trackable plan to remediate unexpected interactions, security violations and database changes.
For the DPO:
Intelligence on all the private data storage and processing that can be reviewed from a legal standpoint and then rationalized or documented.
For the IT Team:
A report of all the transactions involving the private data to be modified, the security CWE/CISQ and OWASP violations in these transactions, and list of required database modifications.
What's next after May 2018: Data Protection and Compliance is Ongoing
While all eyes were fixed on the May 2018 deadline for initial compliance, the true challenge will be to stay compliant as systems are continuously modified and deployed. CAST's Data Risk Index (DRI) tracks the most critical data and the level of security and robustness of all the paths through the software leading to that data.
CAST X-ray machine for software enables the reconstruction of the data processes through ALL your business transactions directly from the source code, configurations and DDL that represent your current operational systems. This automatically creates documentation for your legacy systems, tailored towards the data elements you flag as high sensitivity for data protection.
With the May 2018 deadline for initial compliance in the rear view, the true challenge will be to stay compliant as systems are continuously modified and deployed. CAST's Data Risk Index (DRI) tracks the most critical data and the level of security and robustness of all the paths through the software leading to that data.
IMAGE: a table with ID Private data (Name, gender, adress, email) accessed by 4 business transactions for 3 purposes: Customer creating his account on the Web Front end as part of the Order creation process (Green), Order Fullfillement Agent visualizing the ID data to create the shipment confirmation email with delivery dates (Green), Business analyst accessing the data to create a gender-Social status-based campain segragating customers based on their adress, gender and name (Red), Unkown Batch extracting all the data to feed another database for an Unknown purpose (Red)