The Aftershock of GDPR (Part 2)

Tokenization + Security-as-a-Service

John Noltensmeyer | Head of Global Privacy and Compliance Solutions, TokenEx

Nancy Free | Chief Compliance and Data Privacy Officer

In the last blog, we discussed the new GDPR standards, what they mean for organizations and individuals, and the ripple effect as other countries implement similar legislation. With so many governments beginning to take data protection more seriously, it’s important to understand the different resources available as we experience an ongoing cultural and technical shift in cybersecurity.

Both tokenization and Security-as-a-Service (SECaaS) providers are answering the call for robust, yet simplified, security and compliance.

Crash Course in Tokenization

As discussed in part one of this blog series, many nonprescriptive obligations exist within the GDPR, including the strict requirements for data-breach reporting and the implementation of appropriate technical controls to protect personal data. Tokenization plays a significant role in meeting these requirements and protecting sensitive data sets.

Tokenization can be used for the pseudonymization of data, meaning it replaces sensitive data with nonsensitive data (tokens). For example, instead of keeping an individual’s identification number, date of birth and address on-premise behind perimeter security devices like firewalls, all that personal data can be turned into a token, removed from your environment and securely vaulted in a tokenization provider’s cloud. With the right security controls in place, the information can be temporarily detokenized when the information is required for processing or is requested by the data subject. In the event an individual requests to be forgotten, one can simply delete the token on the tokenization provider’s system to comply with that request.

Another benefit of tokenization is that in the event of a data breach, an organization may not have to notify the affected individuals. If a threat actor infiltrates your environment, tokens – not PII – are the only information that could be exfiltrated. In effect, no data breach has actually occurred.

Although this scenario has been specific to protecting personal data, tokenization spans a variety of industries. In fact, TokenEx – an industry leader in cloud-based tokenization solutions – developed its groundbreaking platform for the purpose of securing payment card information before later expanding beyond the payment card industry. Additionally, tokenization is often used within the health care field for deidentifying and sharing medical research across environments without compromising patient information.

SECaaS + Tokenization

Organizations affected by GDPR, or those preparing for similar regulations in the near future, are leaning on providers such as Armor and TokenEx to help efficiently and effectively secure their environments while also meeting compliance standards. Moving away from standalone tools and managed detection and response (MDR), or managed security service providers (MSSPs), organizations are seeking flexibility, automation, orchestration and visibility in their cloud environments.

SECaaS providers offer these security conveniences, taking the challenge out of complex environments. Similarly, tokenization helps reduce the challenges of managing your security posture by simply eliminating the risk of sensitive data being stolen from your environment.

Companies collect different types and amounts of data daily, but truly only need to access an individual’s personal information a handful of times throughout the year. Storing sensitive information on premise, even with the strongest security posture, still poses a risk of a data breach. Partnering with and using tokenization and SECaaS providers is a way to mitigate those risks and focus on maintaining and building your business.

So, how are SECaaS and tokenization providers addressing the primary tenets of the GDPR?

Geographical Scope – With the GDPR’s global scope, maintaining compliance and security everywhere is paramount. Most organizations do not have the resources for true 24/7/365 global protection, detection and incident response for the sensitive data they process. SECaaS providers can fill this gap in an organization’s defenses, while tokenization can diminish the risk in the event of a breach.

Penalties – An organization found to be willfully or intentionally in violation of the GDPR is subject to administrative penalties of 4 percent of annual turnover or €20 million – whichever is greater. Simple negligence of the data-protection mechanisms in the GDPR can result in penalties of the greater of 2 percent of annual turnover or €10 million. By putting a specific financial penalty to paper for GDPR noncompliance, threat actors have essentially been provided a pricelist. Their ransomware ask is now a competitive “sale” against these GDPR penalties, which makes it increasingly important for companies to become compliant now. Organizations simply focused on appeasing EU data-protection authorities are overlooking the primary threat of a GDPR-related fine.

Data Subject Rights Including Consent, Right of Access, and Right to be Forgotten – Under the GDPR, organizations are required to provide clear and concise explanations of how they intend to use an individual’s personal data, so that he or she can provide informed consent. Organizations are also obligated to provide the capability for individuals to request access to the data an organization is processing about them, as well as the nature of the processing. The individual must also be granted the capability to withdraw their consent for processing and request the organization delete his or her personal data. Having detailed data flows is essential to meet these data subject rights, as well as being able to properly protect the information. Tokenization can help address the right to be forgotten in particular by enabling organizations to delete tokens at their tokenization providers. This destroys the information associated with the token and prevents the organization from ever detokenizing or restoring the tokenized data. Consequently, any place that token is stored in an organization’s systems, including backup files and disaster-recovery sites, ceases to contain reidentifiable PII.

Breach Notification – As part of any breach notification process, business continuity and disaster recovery (BC/DR) must stay top of mind. Meeting the GDPR’s 72-hour notification requirement is only the start of the issue. Responding to and recovering from a data breach is where SECaaS can deliver. Similarly, if the personal data compromised in a breach has been deidentified using tokenization, an organization may not be obligated to notify the associated individuals.

Data Protection by Design – Article 25 of the GDPR obligates organizations to consider data protection by design and by default. Using a SECaaS and a tokenization provider are both ways in which a company can demonstrate its efforts to comply with the GDPR. Data minimization is also an important component of a data-protection strategy – keeping only necessary data for the time required should be every company’s goal when handling PII and meeting both security and compliance standards.

Birds of a Feather

Nearly 10 years ago, TokenEx combined cloud-tokenization, encryption, data-vaulting, and key-management solutions to transform the security of payment card information. Realizing this same technology and security also could be applied to personal and health care information, the company quickly grew to become a global tokenization-security leader.

TokenEx’s growth came with the increasing demands of properly securing its own cloud environment to better protect its customers. To address these demands, TokenEx began its partnership with Armor, joining two leading data-protection companies in the pursuit of greater security. Since 2014, Armor has been securing TokenEx’s private cloud, providing improved performance along with unsurpassed security.

Today’s threats are real, and companies are being faced with meeting stringent compliance obligations, such as the GDPR, as well as industry standards such as the PCI Data Security Standard (PCI DSS). Being able to provide a complete security solution, including tokenization and SECaaS, enables customers of Armor and TokenEx to securely meet multiple compliance obligations and keep up with the ever-shifting cybersecurity and regulatory landscape.

Topic(s): GDPR