Enacted in May of 2018, the General Data Protection Regulation standardizes data privacy laws across the European Union with the aim of protecting EU citizens’ data and requiring organizations to provide clear terms of consent for collecting it. The regulation, which applies to all entities wishing to obtain data while operating in any of the nearly 30 EU member states, has set a global precedent, influencing the writing of similar privacy legislation in countries such as the United States, Canada, India, and Brazil.
At the core of the GDPR is what’s referred to as a “data subject.” A data subject is defined in Article 4.1 as “an identifiable natural person … who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person….”
Simply put, data subjects are people whose personal data can be used to identify them. This is important because it specifies who and what the GDPR is protecting. Understanding this can help you ensure your organization is operating within GDPR guidelines, preventing the considerable penalties that can come with noncompliance.
It’s also important to note that meeting GDPR requirements doesn’t have to mean sacrificing the business utility of sensitive data. To preserve this vital functionality, we recommend pseudonymizing data via tokenization. Pseudonymization, defined in Article 4.5, is the process of masking sensitive data in a way that renders it no longer attributable to its data subject without additional, separately stored information. Tokenization accomplishes this by replacing the original data with nonsensitive data called a token, which is then encrypted and stored offsite.
With the right security controls in place, the information can be temporarily detokenized—returned to its original form—when it is required for processing or is requested by the data subject. If an individual requests to be forgotten, one can simply delete the token from the tokenization provider’s system to comply with that request.