John Noltensmeyer | Head of Global Privacy and Compliance Solutions, TokenEx
Nancy Free | Head of GRC and Corporate IT
This year, information security professionals experienced a significant impact to the industry: The European Union’s (EU) General Data Protection Regulation (GDPR). Since its implementation on May 25th, the way companies around the globe handle and store personal data has been nearly revolutionized.
In partnership with Armor, a cloud data protection platform, this blog – as part of a larger series – will look at the major changes brought about so far by the GDPR, including the ripple effect among other nations around the globe. Additionally, with the looming threat of a hefty fine, we’ll discuss how security, IT, and compliance professionals are working to find innovative answers to the question, “How do I know I’m compliant?”
Preparing for GDPR
In January of 2016, the EU parliament agreed upon and adopted the GDPR as its new data privacy regulation, replacing the Data Privacy Directive (DPD). Aimed at protecting the personal data of natural persons (i.e. data subjects) from security breaches in today’s ever-evolving threat landscape, GDPR’s key principles hold true to the DPD’s but included changes to the regulatory policies. Companies collecting and storing a data subject’s personal data were provided a two-year grace period to ensure their policies and processes adhered to the GDPR’s standards prior to its May 25, 2018, enforcement date.
In short, the GDPR applied stricter laws to businesses processing a data subject’s data and also empowered individuals with greater control over their data and how it’s being used by the organizations collecting it. A few key tenets of the GDPR include:
Geographical Scope – Perhaps the biggest change for businesses between the DPD and the GDPR is its global reach. Any organization, no matter its geographical location, processing or storing personal identifiable information (PII) must adhere to the GDPR’s standards. This ensures that the data of natural persons is protected around the globe.
Penalties – If found to be not adhering to GDPR standards, businesses are faced with a substantial fine of up to 4 percent of the company’s annual turnover or €20 million – whichever is greater.
Consent – Organizations are no longer allowed to use drawn out, unintelligible terms and conditions full of legalities to gain consent for data processing. The individual granting consent must be able to clearly understand and agree to doing so.
Breach Notification Policy – Organizations are required to report a data breach to a supervisory authority within 72 hours of having become aware of the breach. If the breach is likely to result in high risk to the rights and freedoms of the affected individuals, they must also be informed without undue delay.
Right to Access & Right to be Forgotten – Providing data transparency and empowerment, individuals have the right to obtain confirmation from the data controller as to whether personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. Additionally, data subjects can request that the controller erase and cease further dissemination of his/her personal data. This is also known as the right to erasure.
Privacy by Design – This concept requires data security be built into the design of systems, as opposed to tacked on later. It also means that controllers are to hold and process only the data necessary and limit the access to customer data only to the proper personnel.
As you can see from these provisions, the GDPR was put in place for the benefit of both businesses and their customers. Although it might mean more stringent controls for organizations, it’s designed to prevent the chaos and havoc caused by a data breach.
The first six months
After nearly two years of preparation and anticipation of the GDPR’s implementation, it seems as though many companies thought that May 26 would bring a barrage of fines and nearly close many company’s doors. Thankfully, however, that was not the case. Although we’ve seen a few penalties handed down, it takes time for regulators to properly conduct audits and conclude their findings.
One of the most interesting implications of GDPR is the number of other countries around the globe that are following suit. For example, Brazil, India, Canada and the United States are already implementing data privacy laws similar to the GDPR, such as California’s Consumer Privacy Act of 2018.
In India, a draft of the Personal Data Protection Bill 2018, inspired by GDPR (and almost mirroring it) has been submitted for consideration to the Indian government. Similarly, the Brazilian General Data Protection Law (GDPL) was signed into effect on Aug. 14, 2018. Its contents are also similar to GDPR’s, and it is set to take effect in February 2020.
Additionally, earlier this year, Canada updated its data protection rules to align with GDPR legislation. The update goes into effect this month. Albeit, Canada’s regulations are not as stringent as the EU’s – not yet anyway. For example, although GDPR states that companies must notify regulators and consumers within 72 hours of any data breach, Canada’s new federal data breach requires that companies disclose a security breach that “post(s) a real risk of significant harm” to the federal privacy commissioner and consumers “as soon as feasible.” However, despite more lenient rules at this point, there’s a desire among Canadian officials and regulators to go beyond GDPR. In fact, former information and privacy commissioner for the Canadian province of Ontario, Dr. Ann Cavoukian said, “It would be almost like a step back for us not to raise the bar.”
Prior to the GDPR enforcement date, there was a great deal of debate among U.S.-based companies as to whether the regulation applied to them. For those that don’t collect and store personally identifiable data from data subjects and determined that GDPR does not affect their organization, there is a strong likelihood a similar law will apply to them in the near future.
Additionally, compliance experts are encouraging organizations, regardless of where they’re located, to look at the GDPR as a baseline privacy framework because so many countries are looking at implementing similar laws.
GDPR Compliance & Security
As previously mentioned, the overall purpose of GDPR is to protect the data of natural persons in the EU from the onslaught of threats facing individuals today. To effectively achieve this goal, meeting minimum compliance standards is not sufficient. Compliance is not security.
To truly secure customers’ data, organizations need to strategically develop robust security programs. By doing this first – before even considering the laundry list of compliance regulations – you’re bound to check at least 80 percent of the compliance boxes.
Tokenization, or replacing sensitive data with tokens, is an effective measure for companies to ensure both security and compliance. By removing the actual data from your premise and storing it in a secure, third-party cloud environment through tokenization, data protection officers (DPOs) and compliance teams can rest easy knowing a large part of the threat is mitigated.
Stay tuned for our next blog, where we’ll dive further into tokenization and how it effectively answers the call for security and compliance, as well as how Armor is helping companies such as TokenEx secure their cloud environments and ensure compliance audits are a success