New EU Data Privacy Requirements

The countdown to May 2018 is on. The European Commission’s General Data Protection Regulation (GDPR) is designed to improve personal data protections, restrict the international flow of private data and increase organisational accountability for data breaches. Perhaps the most comprehensive data privacy standard to date, the Regulation presents a significant challenge for organisations that process the personal data of EU citizens – regardless of where the organisation is headquartered.

The cost of non-compliance is notable; organisations found in violation of the GDPR face substantial financial and administrative penalties – up to €20 million or 4% of annual worldwide revenues, whichever is larger. Organisations that are breached will also be required to notify affected individuals “without undue delay,” potentially resulting in millions more spent on outreach along with substantial reputational damage.

Securing Personal Data in Compliance with GDPR

The GDPR includes specific guidance about the use of data encryption, including:

  • Implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including…encryption of personal data" (Article 32, Security of processing)

  • In the event of a data breach, the organization is not required to inform individuals of the breach if measures that “render the personal data unintelligible” were in place, including encryption (Article 34, Communication of a personal data breach to the data subject)

The GDPR also requires controllers and processors to account for the risks associated with “unauthorised disclosure of, or access to personal data” (Article 32). In addition to impacting GDPR compliance, ineffective identity management can leave processors and controllers vulnerable to attacks. Further, Article 32 mandates “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

The Countdown is on…Get Started Now!

Given the stringency of the new rules spelled out by the GDPR and the potential for significant penalties and reputational damage, it behooves organizations to start planning now to ensure compliance in time for deadline.

By combining Vormetric encryption solutions with Thales HSMs to protect and manage your organisation’s most critical keys, you will be well-positioned to demonstrate compliance with the GDPR. Our security solutions can help you build and implement a data protection strategy that matches the GDPR’s coverage around:

Visit our detailed GDPR page for more information or complete our contact form to get started on your GDPR compliance strategy.

Additional Resources

White Paper

For the EU's New Data Protection Regulation,
Encryption Should Be the Default Option


Will Encryption Save
Europe’s Privacy Plans?

Commission Website

Protection of personal data
(European Commission website)

Recent Blogs

Three reasons why your business should take the GDPR seriously

You, me and the GDPR: What US businesses need to know

GDPR is here: Will it provide the much needed wakeup call for businesses?

News from the Front: GDPR at InfoSec Europe

The GDPR and encryption: more detail needed

About Thales e-Security

Thales e-Security + Vormetric have combined to form the leading global data protection and digital trust management company. Together, we enable companies to compete confidently and quickly by securing data at-rest, in-motion, and in-use to effectively deliver secure and compliant solutions with the highest levels of management, speed and trust across physical, virtual, and cloud environments. By deploying our leading solutions and services, targeted attacks are thwarted and sensitive data risk exposure is reduced with the least business disruption and at the lowest life cycle cost. Thales e-Security and Vormetric are part of Thales Group.