If you are a CISO, or someone who deals with your enterprise’s data, hopefully you have heard of The General Data Protection Regulation (GDPR). GDPR is the biggest shake-up in European data protection legislation for 30 years. If you have just hearing about it now, as about 50 CIOs were when Data Security presented on this topic at a conference last month, and are starting to educate yourself, don’t be fooled by thinking it only applies to international companies. GDPR, which officially takes effect May 2018, pertains to any business that collects or stores European citizens’ data.
The good news is companies have until the May 2018 deadline to ensure that their data protection processes are compliant with GDPR. The not so good news is ignore GDPR at your own (or your companies’) peril. Data breach penalties for GDPR could be as high as 4% of global revenue or 20M Euros – whichever is greater. Now is the time to educate yourself, and Data Security can help.
Enabling GDPR Compliance
We recently partnered with IDC research’s Duncan Brown to publish a new whitepaper tilted, “Enabling GDPR Compliance Through Innovative Encryption AND Key Management Approaches.” Duncan Brown is Research Director, European Security Practice, at IDC EMEA and leads the firm’s security research program in Europe. Duncan’s expertise spans the gamut of security topics including incident response, threat intelligence, and global privacy issues. His analysis and opinions are widely sought by industry leaders and investors, while his comments on industry trends and developments frequently appear in the leading business and trade publications.
Although GDPR is not prescriptive in the technologies required to enable compliance, Duncan states, it strongly hints at the use of encryption and pseudonymization as approaches to protect sensitive data. For example, GDPR calls for mandatory breach notification to customers within 72 hours unless the sensitive data was encrypted.
Many organizations are therefore examining encryption and pseudonymization technologies. Duncan points out in the white paper, however, that they are quickly discovering the complexities and management overheads with traditional approaches. He goes on to describe HPE Format-Preserving Encryption (FPE), which facilitates field-level protection of the data. HPE FPE transforms data that is formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format and length as the original data. Since there is no change in the data format, retrofitting to legacy applications is very simple and easy, rather than a conventional encryption that would change the data format.
HPE FPE also preserves business functionality, meaning that normal data processing activities are maintained even though the data is encrypted. HPE FPE fulfills both encryption and pseudonymization functions while allowing the company to do the vast majority of their analytics on the data in its protected form, without breaking existing applications, which makes it a particularly useful technology in the context of compliance with GDPR.
One of the complexities introduced by encryption is the management of keys. Few organizations have the skills and processes required to manage encryption keys, particularly at high volumes, according to Duncan, and he explains why HPE Stateless Key Management is an approach that minimizes this overhead by generating keys on demand, rather than having them stored centrally.
Download the whitepaper for more insights.
GDPR Compliance is a good thing
Are you now concerned about GDPR? If you are, keep in mind these regulations can be a good thing for your company. Duncan Brown joined with Tim Grieveson, Chief Cyber Security Strategist, and Enterprise Security Products at HPE for a special GDPR webinar. The webinar is titled “GDPR: make compliance good for your business.”
Duncan and Tim point out the ways compliance with GDPR will be a good thing. One point is GDPR will help to eliminate the many inconsistencies in the patchwork of national security and privacy laws that currently make it tricky to do business in Europe, and it may eliminate the costs associated with dealing with multiple data protection authorities. And it may provide much-needed clarity around the use of newer technologies that many businesses now use, such as social media, cloud computing, and big data.
Duncan and Tim help viewers go through a “GDPR Maturity” assessment by industry in the webinar and point out where companies can get the most benefit from GDPR compliance. They also help you align your GDPR priorities, including hiring the newly-created position of Data Protection Officer (DPO). One far reaching benefit is GDPR will compel companies to do a full data discovery, risk classification and data security assessment, actions that are always beneficial to companies.