If you were existing anywhere but under a rock for the last few weeks, then you were probably subjected to a gauntlet of GDPR notifications from the websites that you frequent, including ProgrammableWeb. They may not have even mentioned GDPR or the General Data Protection Regulation. But the sudden onslaught of these messages while visiting those sites, or via email, or both was unquestionably due to the mad rush by website operators (your’s truly included) to meet the May 25 deadline for complying with the sweeping privacy regulation that was established by the European Commission (EC).
For many users of many sites, it didn’t matter whether you lived or worked in the European Union (EU) or not. You still got bombarded. The reason is that many website operators don’t even know where in the world you are experiencing their sites. For example, just because our analytics say that your traffic originates from somewhere in the EU doesn’t necessarily mean that you are in the EU. And vice versa. Thank you VPNs like NordVPN (I’m a user). So, instead of trying to geo-target their audiences for any GDPR-specific messaging, many site operators just punted and broadcasted their GDPR notifications to their entire user-bases.
But if you paid close attention to this behavior, then you noticed that the variability in comprehensiveness of GDPR remedies was kind of like going through TSA security at different American airports. You would think that somewhere, there’s a clearly articulated punch-list of all the specific things an online entity must do in order to certifiably say “I’m GDPR compliant.” There isn’t. Instead, you must consult an attorney to get an interpretation of the regulation as it was written and then the attorney, based on his or her interpretation, gives you the punch list. Not surprisingly, as with many other things involving lawyers, no two interpretations will be the same and as a result, we get we what we got: thousands of online organizations coming up with their own version of what it takes to be 100% GDPR compliant.
Amid those interpretations, there exists a general belief that there should be an audit trail that documents the transfer of personal information as it moves from one system to another (either within an organization, or between organizations). The use case for this has to do with inquisitive consumers asking a question that deserves an answer: How did you get my name? It should be no secret among netizens that our personal information is being traded, sold, and transferred without our permission. Were there to be an audit trail of how some organization ended up with your personal information without your permission (an official GDPR violation), then presumably, stiff penalties could follow. Which is why you want lawyers involved.
To understand the implications from a IT best practices point of view, ProgrammableWeb checked-in with a chief information security officer (CISO). We didn’t have to look very far as ProgrammableWeb’s parent company MuleSoft has a CISO: Kevin Paige. According to Paige, once that permission is given, the highly decoupled nature of application programming interfaces (APIs) could truly be key to GDPR-compliance as personal information starts to flow across the digital partitions that the EC and consumers view as inviolable boundaries. It’s another reason, among many discussed here on ProgrammableWeb, that organizations should be looking to accelerate their plans to break their monolithic stacks into re-usable API-led services that, taken together, can serve as the basis of those organizations' composable application networks.
"With General Data Protection Regulation (GDPR) taking hold, more companies and consumers will want to see how their data is flowing across the organization.” said Paige. "As organizations such as banks and retailers unlock customer data from legacy systems and front-end applications to create new customer experiences, there is increased complexity of securing this data in motion and decreased visibility of where the data is going.”
One issue that Paige identifies isn’t even related to the sale or sharing of personal information for sake of purposeful marketing or influence. It just has to do with how today’s disaggregated transactional workflows are stitched together. "The challenge that GDPR incites is tracking data lineage of the customer information – where it has gone and what has changed over time. A single business transaction can cross over dozens of different systems, so visibility, management and control of the data becomes even more critical.”
Which in turn shifts the spotlight to the efficacy of APIs when it comes to GDPR. One thing that’s important to note is that GDPR is just about preventing organizational abuse of personal information. It’s also about the measures that organizations must take to safeguard that information from unauthorized exfiltration by hackers.
According to Paige, just by shifting to an API-led composable enterprise (often referred to as the process of “digital transformation”), organizations naturally inherit some security benefits that simply don’t exist when IT is built as a monolith. "An API-led connectivity approach defines methods for connecting and exposing assets with APIs” says Paige. "Rather than connecting things point-to-point, every asset now becomes a managed API, which is a standardized, accessible and well-defined entry point that is easy to visualize and, therefore, secure. What emerges out of an API-led connectivity approach is an application network that allows for the concept of security by design."
"Security teams have increased visibility of the data flowing through an application network and flexible options for controlling who has access to particular systems and applications, what information they have access to and what authentication is required to get in, among a number of other options. With an application network, these doors are built into an organization’s connectivity fabric, making it more secure.”
But, in the spirit of GDPR, there’s an additional benefit to enforcing the idea of an API-led, service oriented infrastructure. If you can re-imagine a monolithic stack of systems and software as a fabric of reusable services talking to one another through APIs or other services oriented interfaces, then it should be difficult to envision those interfaces through which the data omnidirectionally flows as turnstiles. And just like anywhere else you encounter a physical turnstile (a subway, a stadium, an office building, etc), turnstiles serve as a natural form of boundary management to not only double check the permission of something or someone to pass through it, but also to make a record of that passage. You know, like an audit trail (if your lawyer demands it).
"APIs can be a natural turnstile between systems where data traveling from one place to another can be clearly identified. [In other words] the application network can provide organizations with powerful and enriched end-to-end visibility, from receipt of the initial API request call, to fulfillment of that request based on the underlying logic (e.g. database query)” Paige told ProgrammableWeb. "At each step, fine-grained monitoring, tracking and/or analysis are possible. The end result of an application network, provides the benefit of having a detailed and holistic view into all data usage in one place, so businesses now have the ability to act quickly and smartly should any issues arise or any changes need to be made.”
For example, GDPR issues.
Of course, the benefits of greatly improved security (by design), governance, and now, compliance, do not automagically accrue to anyone that starts to deploy an API-led fabric of software. While putting APIs in place is an important start to a long journey, there are currently thousands if not millions of ungoverned, unmanaged, and more importantly, unsecured APIs in the world. It still takes additional investment and the right team to get the necessary controls in place to protect your organization and its constituents.