Now that the GDPR (General Data Protection Regulation) has gone into effect, there is very much a wait and see approach on how the regulation will shake out in regard to lawsuits and non-compliant behavior. Facebook and Google were the first U.S. based companies to feel the wrath of a GDPR lawsuit. That being said, GDPR is about more than just data security, it is about protecting the privacy of your customers and prospects, and most importantly establishing trust with your customers in how you steward their personal data. How do you deploy internal risk management policies with security by design to keep your organization out of harm’s way? What are your access controls? Where does personal data live in your environment? GDPR is less of a technical than it is about assuring that your risk management policies align with the regulation to protect you and your customers. Appropriate use and your security controls are the focus. With encryption and pseudonymization being the only technologies called out specifically in the regulation, what are the other technologies that can help you achieve data de-identification or full anonymization?
Let’s start with a summary of GDPR rules on the handling of personal data:
- Legitimate Interest: You must have a valid reason to collect and store the confidential data.
- Consent: To use certain types of personal data about an individual for commercial or marketing purposes, you must first obtain the individual’s permission.
- The right to be forgotten: An individual may revoke access to their personal data. And you must remove it. You must also correct errors in personal data upon the individual’s request.
- Anonymization/pseudonymization: Personal data must either be anonymized or go through pseudonymization when stored. This ensures that confidential data is not accessed inappropriately.
- Sharing externally: If you obtain consent to share personal data with external parties, you must be able to revoke the parties’ access to these data. This includes the obligation to ensure that the data is erased from the data warehouses of the partners.
Assessing Your Security Controls
GDPR favors reasonable security for your cybersecurity controls. If GDPR is truly about protecting personal data, how do you guarantee your organization will not be subject to massive fines? It starts with Article 32 where GDPR favors appropriate technical and organisational measures to ensure a level of security appropriate to the risk. While that sounds a bit nebulous, Article 32 requires you to assess how will my actions be judged on reasonable security. This level of assessment should be determined by your appointed DPO (Data Protection Officer), who can determine the legality of your compliance program. GDPR is about more than data security, it is about protecting privacy. Misuse of personal information for example – if you do something with the data because you feel it will be great for your organization – You have to make sure that it is legal, that is why you appoint a DPO.
Data Security Assessment
Data security is designed around protecting the privacy and processing of data. You have to assess who the good guys are and the people who present a threat to your organization. This should be deployed both internally and externally. Who has access? What are your access controls, authentication procedures, etc.
Breaches Happen - Document
The reality is that you can still be breached even if you are doing all of the “right things.” Most breaches come from internal mistakes and not necessarily a nefarious cybercriminal. Plan as far as you can for the worst legal aspects and implications. The main issues to look at are “appropriate use” of the personal data, while applying the proper security controls. The complaints that a customer or prospect may file will force the EU to investigate your internal management of the data, as well as the 3rd party vendors you utilize. The serious legal trouble is born not from the data breach itself or the data stolen; what will kill your organization is when the stolen data is used to profile customers or prospects in ways not anticipated by the subject whose data is being used. Document. Document. Document. And, document some more to show you have a process to make a defensible position.
Some key areas to look at:
- Are you able to pseudonymize or anonymize the personal data?
- What are your personal data retention policies?
- Are you testing across your environment, which includes 3rd party vendors?
- Have you established training and awareness programs?
- How is your personal data being processed?
- How is the data at rest secured?
- How is data in transit secured?
Develop a framework of security in a compliant fashion without completely removing the data utility. There are also strategies for handling consent. A control framework is needed until there is a risk management classification of data. Create a balance between benefit of data – does your business need it, while providing security and compliance. Organizations have to be good stewards of data, as GDPR is all about privacy and control of data.
3rd Party Vendor Accountability
Your 3rd party vendors will have to follow your “code of conduct” of handling, processing, storing, etc. personal data, as your organization is responsible for your 3rd party vendors. There is no, “I was not aware of how they were handling, gathering, processing, storing, etc. our personal data” argument. You are responsible for the totality of your environment, so a strict vendor risk assessment is the only way to make sure that a vendor is not putting your organization in harm’s way. Again, here is another opportunity where documentation can support your organization in favor of the GDPR.
With most data breaches being born out of internal errors, lack of oversight, poor security controls, etc. you must plan as far in advance for the worst legal aspects and implications in your cybersecurity posture. You can be breached even when you are doing everything properly, but breach complaints will force the EU to investigate your internal management of the sensitive data sets, which is why a code of conduct is absolutely necessary. Their investigation will focus on whether an organization has proper technical and organizational controls in place.
What Technologies Exist to Properly Pseudonymize Personal Data?
This is not an issue with technology, as the solutions currently exist to properly pseudonymize your data, but this is a business issue. Start with data discovery. No one specific technology is called out for GDPR save for encryption and pseudonymization, so organizations are trying to determine which solutions will hold up to the GDPR regulation. There are multiple solutions that are capable of de-identifying personal data, but let’s start with encryption. In theory, if you encrypt your data, then no data will be exposed. That means that the private and public key management stays current, and the management of these keys falls in line with security best practices. Who will manage the private and public keys is as important as the type of encryption that you use because key proper management has always been the Achilles heel of encryption. To further that, encrypted data means that it can potentially be unencrypted. This is why tokenization is becoming a much bigger player because of the separation of data without having to manage the keys, as well as not being able to reverse engineer the tokenization process.
Dativa has put together an excellent table breaking down the differences in technology to be used for splitting raw data detailing the different security measures designed for GDPR compliance:
GDPR Article 25 – Security
Implement measures designed to:
- Deny authorized persons access to processing equipment used for processing (‘equipment access control’);
- Prevent the unauthorized reading, copying, modification or removal of data media (‘data media control’);
- Prevent the unauthorized input of personal data and the unauthorized inspection, modification or deletion of stored personal data (‘storage control’);
- Prevent the use automated processing systems by unauthorized persons using data communication equipment (‘user control’);
- Ensure that persons authorized to use an automated processing system have access only to the personal data covered by their access authorization (‘data access control’);
- Ensure that it is possible to verify and establish the bodies to which personal data may have been or may be transmitted or made available using data communication equipment (’communication control’);
- Ensure that it is subsequently possible to verify and establish which personal data have been input into automated processing systems and when and by whom the personal data were input (‘input control’);
- Prevent the unauthorized reading, copying, modification, or deletion of personal data during transfers of personal data or during transportation of data media (‘transport control’);
- Ensure that installed systems may, in the case of interruption, be restored (‘recovery’);
- Ensure that the functions of the system perform, that the appearance of faults in the functions is reported (‘reliability’) and that stored personal data cannot be corrupted by means if a malfunctioning of the system (‘integrity’).
Questions to Ask in Relation to the GDPR
Can you pseudonymize your personal data? How long are you holding the data? How are you testing your internal environment, and this includes your 3rd party vendors. What type of training and awareness programs are you supporting or deploying internally to your organization to promote GDPR compliant policies. How is your data being processed? A code of conduct is needed with a compliance minded collection of data.
Evaluate your environment. How are you sharing personal data? How are your vendors sharing data? Assess and evaluate. A flurry of contracts that lists what personal data vendors will protect – that is simply not enough. Tokenize, encrypt, or get rid of the data altogether if you are not going to protect the data appropriately. The pseudonymization framework gives a means to continue collecting personal data in compliant manner for GDPR without having to drop confidential data that can enable continued data science within the organization.
Ulf Mattsson is the Head of Innovation for TokenEx, and he is the inventor of more than 55 patents in the areas of Encryption, Policy Driven Data Encryption, Internal Threat Protection, Data Usage Control and Intrusion Prevention. TokenEx is the enterprise leader in data protection. Follow us on Twitter and LinkedIn.