Last updated: 26 May 2016
It’s an exciting time to be in the business of data protection! It’s also time to get ready for the EU’s General Data Protection Regulation (GDPR) and US/EU Privacy Shield requirements, which will replace those of Safe Harbor.
While the last couple of years have brought about major breach headlines, placing data protection in the spotlight, these last couple of weeks have produced enforceable and actionable items on how to respond to this breach epidemic.
The approval of the GDPR is a game changer – with the deadline for compliance now exactly two years away.
The GDPR signifies an official acknowledgement on how important consumer privacy is and just how seriously it’s being infringed upon. More than just a ticking of the box to stay compliant, this new regulation takes a holistic approach to why we got here and how to fix it.
Just recently, the Breach Level Index reported that while credit card data and financial information was most sought after in 2013 and 2014, the theft of personal information and identities took center stage in 2015. In fact, this type of theft accounted for 53% of all data breaches last year, further reinforcing the need for regulation.
Moreover, the GDPR will have a far more reaching impact on other nations outside of the EU. The EU and U.S. are already negotiating the terms of Privacy Shield, which includes many of the same requirements as the now defunct Safe Harbor. This new and more unified approach, however, will require that organizations make adjustments to their current data protection strategy and prioritize putting the appropriate controls into place.
Here are the top 7 considerations that organizations should take into account in order to prepare for GDPR and Privacy Shield requirements:
1. Identify any and all third parties that process your data
You’ll want to make sure that these vendors are also putting the proper controls in place and abiding by the set regulations. Usage must be consistent with the consent provided by the individual. Failure to comply could mean trouble for the third party organization, as well as your organization.
2. Be very clear about the geographic regions your data resides
Data sovereignty is the concept that digital data is subject to the laws or legal jurisdiction of the country which it is stored and certain countries are drafting stricter data residency and sovereignty laws, which require data to remain in country in order to protect their citizen’s personal information. Even when leveraging a cloud service, data will reside in a data center, and that data center will reside in a physical location. Understanding, tracking, and controlling where data resides will be core to remaining compliant.
3. Transparency is key
Incorporating transparency into your organizational processes and policies will be essential on many levels. It will be vital to ensure the controls in place are demonstrable and auditable, both for internal staff and external authorities and auditors. Continuous monitoring of your systems cannot be overlooked either, because violations have to be caught quickly and reported to the appropriate parties. Lastly, transparency to the user will be necessary in order to achieve consent, remove data, etc.
4. Protect data by leveraging encryption and key management
As introduced in the GDPR, pseudonymization is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately. In other words, by encrypting your data and managing those keys, you can ensure that even if the data is breached, the attacker will not have access to it.
Also, by encrypting data, even if another government issues a subpoena or is secretly accessing a private repository, you can retain control over who can ultimately decrypt the data. Encryption also represents a strong mechanism for addressing the consumer’s right to be forgotten. By deleting a key associated with a consumer’s records, a business could ensure that encrypted data will never be accessed.
5. Don’t forget to control access
Repeatedly, it is weak, static credentials that are exploited to gain unauthorized access to sensitive resources or perpetrate a full-blown data breach. Therefore, it is essential for organizations to eliminate this vulnerability by establishing strong, multi-factor authentication to any resource that holds value, be it a network, portal, or application.
6. Avoid implications of non-compliance
While details vary between GDPR and Privacy Shield, both regulatory parties intend to hold businesses legally accountable for their privacy practices. The slightest of infractions could bring forth severe fines, public shaming and loss of doing business with certain countries. However, it is important to note that organizations that take reasonable and appropriate actions to protect the data can avoid consequences altogether, should a breach occur.
7. Start putting a plan together now
Two years may seem far off, but organizations will need to do a full sweep of their current situation, such as identifying sensitive data, data flows, user access levels, third party processors, etc. Look for a company that has experience and credibility in the security industry. With so many breaches, many novice organizations are starting to enter this space or offer data protection because it aligns with their products or services. You don’t want to implement a solution that is piece-meal or just good enough.
Keep these tips in mind as you approach these new regulations, and you should be one step closer to incorporating the data security best practices of today and the not-too-distant future into your security strategy. Want help addressing GDPR and Privacy Shield requirements?
Gemalto has already started working with organizations around these new regulations. We can help you to employ one or many different encryption, key management and authentication solutions. Our extensive portfolio works together, ensuring a streamlined solution that grows with your organization. Visit our EU compliance page to learn more.