Implications for fiber operators
The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
The scope of GDPR applies to all organizations which collect or processes personal data of EU residents. GDPR will take effect and become enforceable in all EU countries from the 25th of May 2018. It is directly binding and applicable to all EU member countries. Heavy sanctions can be imposed by each country’s Supervisory Authority (SA) on organizations which do not comply with GDPR.
As a fiber operator, you most likely handle personal data of your customers on a daily basis. In order to ensure the privacy of your customers and avoid any sanctions, it is your responsibility to make sure that you fully comply with GDPR. This include several things such as assigning a Data Protection Officer, staff training, establishing necessary reporting routines with the national regulator and preparing your IT system environment to support GDPR compliance.
Preparing and have a plan for your IT system environment is important as personal data is often stored and processed in multiple systems and in parts of systems which is not necessarily intuitive. A holistic approach is required and procedures (e.g. data erasure) need to be implemented cross-system wide and in-depth in each individual system.
As a user of the Netadmin system you can achieve this with the Netadmin GDPR compliance Add-on and by following Netadmin’s data protection best practices.
Netadmin GDPR compliance Add-on
To simplify GDPR compliance Netadmin has packaged a number of supporting tools and functions into a GDPR compliance Add-on which extends your Netadmin deployment. This Add-on is available for all supported versions of Netadmin including Netadmin 8.6, Netadmin 8.7 and Netadmin 9.0. If you have an earlier version, please contact us.
The Netadmin GDPR compliance Add-on includes functionality for managing customer consent and customer data erasure procedures compliant with GDPR requirements. Please contact us, or your local Netadmin partner, for further details on the GDPR compliance Add-on.
In addition to the GDPR compliance Add-on it is advised that the best practices set out in the next section is followed in order to ensure data protection, personal data integrity and simplify compliance with GDPR.
Netadmin data protection best practices
In order to avoid data breaches, it is recommended to following strict IT security policies and procedures. In addition to any existing internal IT security policy the following is a list of recommended measures:
- The servers on which Netadmin is installed should be secured in terms of both physical and network access
- The operating systems running on the servers should be continuously updated with security patches etc.
- System user password should consist of at least 8 characters including both lower case letters, upper case letters, digits and special characters
- System user password should be changed regularly (at least annually)
- The Netadmin ACL authorization framework should be configured and applied to ensure that users have appropriate access
- Inactive system users which no longer need access should be removed
Managing customer consent
Consent should be documented in the system which is the master of customer data unless a specific system is used to manage consent. If Netadmin is the master system for customer data, it is recommended to document consent in Netadmin. If not, it is recommended that consent is registered in another system and any necessary handling including erasure of personal data is initiated by that system.
Managing personal data in multiple systems
Erasure of personal data should be initiated from the system which is the master of customer data. Such an erasure procedure should be propagated to all systems which contain personal data and completion of the propagated request should be ensured by the master system.
Erasure of personal data should not take longer than 180 days from the point when there is no long a lawful basis to process it. It is therefore not recommended that backups of Netadmin data is contain data older than 180 days in order to avoid unnecessary work of removing data from backups.
According to GDPR personal data should only be stored and handled under certain circumstances, for example if you have an agreement with a customer which requires you to handle their personal data. In the case that a broadband customer has cancelled his or her services it is advised that the following standard Netadmin features are utilized:
- Automatic removal of inactive customers with no services
- Automatic removal of inactive customers which have disconnected all of their previous services
Development and testing systems
Non-production Netadmin deployments should preferably not contain any personal data of real customers. Both because it is not needed to but also because it can make erasure of personal data more complicated and costly. In the case that personal data exists in such systems you should make sure that it is resynched with the production system or purged within 180 days.