General Data Protection Regulation (GDPR)

 I thought it would be a good idea to revisit GDPR, just as a reminder to all of us to take stock and see how ready we are. For the uninitiated, the EU Commission, Parliament, and Commission negotiated and finalized the text of what is called the “General Data Protection Regulation” (GDPR) in December of 2015. This was officially approved as Law in April 2016 and goes into effect on May 25, 2018. And, if you’re an organization that does business in the EU or even has customers from those geographies, this could significantly change the way you do business.

GDPR Countries

Many think GDPR is an “EU thing” and doesn’t affect them because they don’t have an office in the EU.  If you are one of them, think again.  Since the EU believes that data protection should apply across national boundaries, GDPR seeks to regulate not only the protection of data within the EU but extends the law to all businesses that hold data about EU citizens, even if such a business is based outside the EU.  So, in cases where a business is based outside the EU, but offers goods and services to individuals in the EU or monitors their behavior, the GDPR will apply.  This means that a lot more businesses than previously, especially based in the US and other parts of the world now come under the ambit of GDPR.

If you’re a business, you will need to demonstrate data compliance.  An important component of GDPR is your ability to protect your data and to be able to keep tabs on how it is being used.   Think of it as “protecting your data against outsider / unauthorized access” and also “keeping tabs on your data when there is authorized access happening from insiders”.  Towards this end, you’ll need to document processes around how you handle data and may also have to appoint a Data Protection Officer.

Read: 3-step Guide to GDPR Compliance

GDPR Penalties

What has really grabbed eyeballs is the stiffness of the penalties involved.  Certain breaches can result in a fine of € 10M or 2% of a company’s annual revenues – whichever is greater.  More serious breaches could result in a fine that is greater than € 20M or 4% of a company’s annual revenues.  In some cases, the Data Protection Authority can impose a complete ban on data processing operations by an organization.

One of the directives that have received a lot of coverage is the Mandatory Breach Notification Scheme, because of the public relations fallout it could cause an organization.  If a business suffers a data breach in the form of a loss, alteration of data, or unlawful access to personal information, such a breach needs to be reported to a Data Protection Authority within 72 hours of your organization becoming aware of it.

Not just that, if the breach is likely to result in discrimination, fraud or identity theft, financial loss, damage to reputation, or any other economic or social disadvantages to the subjects, then the breach will need to be reported to each of the subjects (individuals) as well – even prior to the Data Protection Authority being notified.

But, there’s an out.  If businesses have implemented appropriate technical security measures with respect to the data affected by the breach, they may not need to notify data subjects.  For instance, if prior to the breach taking place, the data had been rendered unintelligible, by means of technologies like encryption, businesses will not need to notify data subjects of the breach.

So, encryption is a suggested, even if not mandated way to protect customer data.  GDPR may not be prescriptive about encryption but definitely considers it an acceptable and effective way to customer protect data.  Taking that important step and including it in your data processing workflow will significantly reduce your liability in terms of reporting breaches, should they occur, and help you avoid crippling penalties.

With the increased usage of cloud storage services, the need for encryption and obfuscation of data in the cloud is that much more important.  And with the widespread use of mobile devices, the need for auditing capabilities on business data usage is critical.  Keep in mind these requirements especially in the context of the mandatory breach notification clause.  Look for solutions that can effectively encrypt your data in the cloud, and also monitor the usage of such data. 

When using cloud encryption, an important consideration is a concept called the Segregation or Separation of Duties.  This means, that as a best practice, you should look for a technology barrier that clearly separates the cloud provider from the data. Here is what the Cloud Security Alliance unequivocally states (Section 2.1.2):

“However, based on the Segregation of Duties security principle, key management ideally should be separated from the cloud provider hosting the data. This provides the greatest protection against both an external breach of the service provider as well as an attack originating from a privileged user/employee of the provider.”

Cloud vendors are notoriously lacking in rigor around this area.  Statistics show that while close to 82% of cloud storage services encrypt data in transit, only 9.5% encrypt data at rest, and even fewer (around 1%) allow customers control over the encryption keys.

Don’t be fooled by BYOK (Bring Your Own Key) claims made by a number of cloud vendors and SaaS providers.  Many of them may let you specify keys for data encryption, but also retain control over the decryption of your data when they require it.  Ask the hard questions, as I have said in a previous blog post (Bring Your Own Key (BYOK) The Untold Story) on this subject.

As a business readying yourself for GDPR, encrypting your data in the cloud should arguably your highest priority.  Look for solutions that can:

• Encrypt your data on your terms
• Effect clear separation of duties
• Let you audit how the data in the cloud is being used

At Parablu, over the last few years, we have already helped several customers keep their data secure in the cloud.  Check out our solutions that can help you get yourself ready for GDPR.