EU Data Privacy Requirements
The countdown to May 2018 is on. The European Commission’s General Data Protection Regulation (GDPR) is designed to improve personal data protections, restrict the international flow of private data and increase organisational accountability for data breaches. Perhaps the most comprehensive data privacy standard to date, the Regulation presents a significant challenge for organisations that process the personal data of EU citizens – regardless of where the organisation is headquartered.
The cost of non-compliance is notable; organisations found in violation of the GDPR face substantial financial and administrative penalties – up to €20 million or 4% of annual worldwide revenues, whichever is larger. Organisations that are breached will also be required to notify affected individuals “without undue delay,” potentially resulting in millions more spent on outreach along with substantial reputational damage.
Securing Personal Data in Compliance with GDPR
The GDPR includes specific guidance about the use of data encryption, including:
Implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including…encryption of personal data" (Article 32, Security of processing)
In the event of a data breach, the organization is not required to inform individuals of the breach if measures that “render the personal data unintelligible” were in place, including encryption (Article 34, Communication of a personal data breach to the data subject)
The GDPR also requires controllers and processors to account for the risks associated with “unauthorised disclosure of, or access to personal data” (Article 32). In addition to impacting GDPR compliance, ineffective identity management can leave processors and controllers vulnerable to attacks. Further, Article 32 mandates “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
The Countdown is on…Get Started Now!
Given the stringency of the new rules spelled out by the GDPR and the potential for significant penalties and reputational damage, it behooves organizations to start planning now to ensure compliance in time for deadline.
By combining Vormetric encryption solutions with Thales HSMs to protect and manage your organisation’s most critical keys, you will be well-positioned to demonstrate compliance with the GDPR. Our security solutions can help you build and implement a data protection strategy that matches the GDPR’s coverage around:
Visit our detailed GDPR page for more information or complete our contact form to get started on your GDPR compliance strategy.