Making sense of the GDPR: Balancing privacy, authorized access, and state-of-the-art
The GDPR was put in place for the greater good, to help ensure that any E.U. citizen’s data is protected and accounted for, no matter where it’s created, shared, and stored. It also gives organizations the impetus to inspect and improve their privacy guarantees if they aren’t already compliant. Certainly, we’re huge fans of any legislation that can accomplish those ends here at Vera.
While some of the tenets of the law are clear and straightforward (harmonize data privacy across Europe, protect and empower all EU citizens, and reshape the way organizations approach data privacy) there are a few areas where the language is vague and the technical challenges can be quite high.
In our conversations with privacy experts and security and risk teams, we consistently hear questions about how best to comply with the clauses covering anonymization, encryption, and system design.
More specifically, after organizations identify which data they need to protect, they then have to plan for:
- Requirements for personal information to be anonymized or encrypted,
- The need to protect against unauthorized access to user data,
- Data protection by design, and
- Data protection by default.
This is the toughest step for most organizations, and it’s compounded by the fact that many of these clauses in the GDPR aren’t prescriptive. That’s mainly because the regulation doesn’t want to make itself out of date, and both data controllers and data processors need the flexibility to align their business processes now and into the future (that’s where state-of-the-art starts to matter). At Vera, we believe we have a responsibility to share how we’re addressing these new requirements, and how we’re helping our customers do the same.
Let’s start with encryption. The GDPR’s broad aim is to protect personal data, which similar to existing HIPAA guidelines includes any individually identifying data like name, location data, identification numbers, IP addresses, cookie data, and RFID tags. The GDPR also defines a new class of “special categories of data” that needs a more stringent level of protection. This class includes health data, genetic data, biometric data, racial or ethnic data, political opinions and sexual orientation. It’s a long list, to be sure.
Simple, always-on encryption is a great first step for companies looking to meet deadlines.
But simple encryption at rest and in transit isn’t enough, and companies evaluating this set of requirements in isolation will run into trouble down the road. Under the law, this data must be protected against unauthorized access and used for only specific purposes – and that use must be monitored and controlled dynamically over time. This is something organizations aren’t used to complying with. Strict access controls and dynamic usage policies are critical tools here. In the event of a breach or a compromise, this will mitigate the damage that a hacker can cause and also provides an audit trail of who has access and what actions they’ve taken.
This is why taking a data-centric approach to encryption and anonymization is critical – when GDPR-sized fines are looming, it’s not enough to deploy device or full-disk encryption. To limit the damage and scope of a breach notification, individual records should be protected uniquely, preventing a single attacker or identity getting access to the entire dataset.
Next up: the tricky dual requirement for data “protection by default,” and “protection by design.” The Vera platform covers both ‘data by default’ and ‘data by design’ by protecting content in applications and on devices where those services don’t comply. Vera adds the ability to automatically protect data by default, no matter what kind of data it is. What’s more, with our platform, always-on protection can be added by design into any application.
Breaches are no fun for anyone. Companies take major hits in their pocketbooks, reputation, and brand as a whole. Users lose confidence and tend to move their information and business elsewhere. The GDPR will now mandate that in the event of a compromise or breach, companies need to notify anyone whose data may have been subject to the breach/compromise, within 72 hours.
Most companies are still in the process of assessing their security infrastructures to find gaps in their EU GDPR compliance, but they can start by looking into a more data-centric security approach. Data-centric security helps mitigate these risks by providing tools that encrypt data, provide dynamic access controls, and automatically provide audit logs to ensure only privileged individuals have access to that data at all times.
I’m having this same conversation with our customers, helping to align our solutions to their roadmap. I’d be happy to have the same conversation with your team. Send me a note, and I’d be happy to set something up.