What is GDPR and Why You Should Know About It. Part 3 of 3

GDPR is the new EU Data Protection initiative that affects all organizations doing business in EU and partnering countries. In part 2 of this blog series, we discussed the most important aspect of GDPR–consent. Once you have the consent to handle customers’ PII, however, you still fall under compliance requirements for protecting it. GDPR is changing the way organizations collect, handle, and use PII. Compliance requirements include protecting the personal information that is collected through processes known as pseudonymization.  In the last and final part of this blog series, we will recap the foundations of GDPR, and focus on what Pseudonymization is, and what the personal data designation is. How accepted–and effective–are Tokenization and Encryption in achieving pseudonymization? How will TokenEx customers achieve GDPR compliance with the TokenEx Security Stack? What is the expected cost for United States’ based organizations? Why is TokenEx taking the lead with becoming GDPR Compliant, ourselves?



GDPR Recap

The GDPR not only applies to organizations located within the EU but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

  • Customer consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.
  • Explicit consent is required only for processing sensitive personal data - in this context, nothing short of “opt in” will suffice.
  • A Data Protection Officer (DPO) must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data (Art. 37). 
  • The penalties for organizations found not to be in compliance is 4% of annual global turnover for breaching GDPR or €20 Million, and this is the maximum fine.
  • Data Subject Rights: Breach Notification, Right to Access PII Being processed, Right to be Forgotten, Data Portability, and Privacy by Design (Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties).
  • Article 4(5) of the GDPR defines pseudonymization as the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.


What is Pseudonymization?

“Pseudonominization” is a form of “de-identification,” a broader but inclusive term used by the National Institute of Standards and Technology in NIST.IR 8053.  It is formally defined as: a “particular type of anonymization that both removes the association with a data subject and adds an association between a particular set of characteristics relating to the data subject and one or more pseudonyms.”

Pseudonymization has been defined in the GDPR as:  data that is ‘coded’ (i.e., details such as a data subject's name and address are replaced with pseudonyms) such that the data cannot be attributed to a particular data subject without the use of additional information.

Tokenization and Encryption

Under the GDPR, pseudonymous data will be treated as personal data, but pseudonymous data will likely be subject to less stringent protections. There are generally two forms of pseudonymization, tokenization and encryption.  For encryption, the Parliamentary text requires that the 'encryption key' necessary to identify data subjects be kept separately from the coded data, and is subject to technical and organizational security measures to prevent inadvertent re-identification of the coded data.  Tokenization, in contrast, requires no “key” and is thus an easier and more efficient method of pseudonymization.

Leveraging TokenEx Tokenization

Incorporating TokenEx’s tokenization solutions, which are well-recognized and an accepted form of pseudonymization, will make GDPR compliance more certain, less costly, and much easier.  Tokenization, an advanced form of pseudonymization referenced in the GDPR, is the process TokenEx has used for over a decade to protect the private data of clients worldwide, without a single breach or exposure. As a well-recognized and accepted form of pseudonymization, tokenization can be used to satisfy many of the compliance requirements of the GDPR.   Compliance with GDPR mandates that organizations protect the PII and privacy of EU citizens for transactions that occur within EU member states. TokenEx secures all data sets for all users, that if ever exposed a meaningless token is all that remains with no exposure to any EU citizen or member state.

Examples of Compliance:

Article 5 - All personal data must be processed lawfully and transparently, and only for the purpose specified to the individual. TokenEx maintains a highly audited environment, and our processing of sensitive data meets the highest level of GDPR requirements.

Article 25 and 32 - Organizations must be able to provide a “reasonable” level of data protection and privacy to EU citizens. TokenEx provides the highest levels of data security for every sensitive data set that we secure.

Article 33 and 34 - Organizations must report data breaches to supervisory authorities and individuals affected by a breach within 72 hours of when the breach was detected. TokenEx has never suffered a data breach resulting in exposed sensitive data.

Article 35 - Organizations must conduct data protection impact assessments to identify risks to EU citizens. TokenEx goes through quarterly and annual risk assessments to identify impact. Our compliance certifications increase each year to maintain our highly scrutinized and auditable environment.


What is the Cost to My Organization to Meet GDPR Requirements?

According to a recent PwC survey, sixty eight percent of Unites States’ based organizations anticipate spending between one million dollars and ten million dollars to meet the GDPR requirements, with another nine percent anticipating spending more than ten million dollars.

Compliance for the Greater Good

Like any form of compliance, it is here to stay. Depending on your organization’s view of compliance, it is either getting worse or better. Our opinion as an organization, is that compliance empowers your organization to safely and securely deploy internal solutions to keep sensitive data secure. Compliance is never cheap or easy to attain, but the goal of GDPR is to empower your organization to manage customer data privacy rights in a safe and secure way. It takes the effort of the entire enterprise to achieve it, but the result is what will keep your organization out of harm’s way. At the end of the day, you are the steward over customer PII, and it is your responsibility to protect that sensitive data. Tokenization is your vehicle to pseudonymize the PII to maintain GDPR compliance, while also significantly reducing your risk as an organization.

TokenEx is Prepared

TokenEx is an industry leader with achieving compliance, and we take every global initiative to protect customer data very seriously. Using our own tokenization platform, TokenEx will be fully compliant with GDPR requirements well before the May 5, 2018 effective date.  TokenEx’s same tokenization platform, incorporated into TokenEx’s data security platform, is a part of the complete data privacy and vaulting services offered by TokenEx and used by its clients world-wide. For more information on TokenEx, its tokenization utility and GDPR compliance issues, please email compliance@tokenex.com. TokenEx is the industry leader in cloud tokenization and encryption. Follow us on Twitter and LinkedIn.

Cloud Tokenization As A Service

Topic(s): compliance , tokenization , pseudonymization , GDPR

Keep Up With Our PCI & Privacy Blog