The European Union General Data Protection Regulation (“GDPR”) was intended to harmonize data protection laws across Europe and to strengthen individuals' rights by giving people greater control over their personal information. The GDPR introduces a number of new obligations on controllers and processors and it imposes a range of stricter data protection requirements.
In a practical sense, organizations will have to work extensively to understand and be prepared for a variety of new responsibilities, including accountability, new personal data breach reporting obligations, and extended individuals’ rights.
As organizations face GDPR and continue to change processes and technical controls – it is important to consider how the concept of API management and Oracle’s products can help our customers with their GDPR compliance efforts.
Under GDPR, individuals can request organizations to show them all personal data that they have about them (‘subject access right’ - Article 15) and they can also request – subject to certain exemptions- to have all personal data about them to be deleted (‘right to be forgotten’ - Article 17) or rectified (‘right of rectification’ - Article 16). GDPR also allows individuals to request their data profile or the data held on them by a data controller to be passed on to another controller (‘data portability right’ - Article 20).
Organizations are using different setups in addressing such data related requests that are coming from an unpredictable amount of individuals. Among those setups, one of a possible option is, for example, allowing our customers to initiate and receive communications on such requests using a self-service portal. In this context, API-led connectivity, handled by API Platform, could be used as the basis for self-service portals.
Additionally, API-led connectivity offers a practical approach for linking together the galaxy of systems and facilitating data retrieval as:
- It allows the different channels to complement each other as it supports flexible and ad-hoc orchestration and re-routing;
- An API-led approach to integration allows data to be shared across all customer-facing and back-office where the system can be built once and then to different areas of the business and can provide different views of the data depending on what their needs are;
- API-led connectivity enables bimodal IT, allowing teams to move at different speeds with varying degrees of control (e.g. ERP team vs mobile team), yet realizing a common architectural vision; and
- it accelerates access to data housed in various silos. API led-connectivity provides universal connectivity.
Therefore, self-service can be used with APIs to retrieve the data which is needed to give an answer and comply with the above-mentioned individuals’ requests - whether the objective is to access personal data to present it to the individuals or to delete it upon their request.
While API-led connectivity is an architectural approach to integration, where a preferred way of connecting different systems and standalone services is to use APIs rather than alternative approaches, API call is one single communication between the service requestor and the service receiver. Such API call preserves context and metadata of the requestor-receiver communication, including details on data exchanged, or policies applied. These details, including its analytics, can be provided by Oracle API Platform to other compliance tools.
There are also additional usages and ways how APIs with API management can help our customers to address GDPR obligations. Just by means of example, some of such practices are:
-For the purposes of helping with the principle of data minimization, it is possible to control or configure data stored in customer’s managed database via REST-based call using fine granular authorization, update the database based on customer service administration, to access or purge via SQL scripts (granular access), to leverage application server log rotation policy to archive/purge the files; and
-For the purposes of helping data retention and accuracy data protection principles, APIs could return configuration data stored in a customer-managed database. In order to respond to end-user requests for data access, correction, and deletion, it is possible to perform updating and deleting of the configuration data.
Ultimately, this article aims att illustrating that the concept of APIs and how API management tools could prove to be beneficial and strive some of the GDPR compliance efforts. We invite you to read more on APIs and API management tools’ potential on Oracle API Platform page and within the paper 'Addressing GDPR Compliance Using Oracle Integration and Governance Solutions'