The General Data Protection Regulation (GDPR) EU legislation will come into force on 25 May 2018. GDPR is a significant upgrade and replacement for previous rules in the Data Protection Directive and introduces a number of new data protection obligations for organizations. As with other regulations such as HIPAA and SOX, compliance with GDPR requires that your organization implements appropriate measures to ensure you meet your legal data protection obligations. However, one of the key differences is that GDPR requires more than just putting in place a technical solution. Organizations will also need to adopt organizational measures to demonstrate GDPR compliance.
Encryption remains a cornerstone of data protection and privacy within the GDPR. It is widely recognized that using encryption:
- reduces the negative impact on individuals (data subjects): in the event of a laptop theft or hacker access to stored data, the encrypted data remains unusable;
- increases the effectiveness of data protection policies by raising awareness across the organization of the importance of privacy and security measures;
- reduces the cost of addressing problems such as loss or theft of laptops and mobile devices.
AlertSec provides a solid foundation on which to build your compliance program. Organizations are increasingly storing and sharing data via cloud-based services that provide good encryption and key handling. However, to protect the personal and sensitive data defined by the GDPR, you will need additional data security measures.
GDPR will require data to be protected wherever it may be stored, accessed or processed. GDPR will also require protection for a wider data set, to include hidden data such as digital identifiers, IP addresses and cookie ID’s as well as a person’s name, address, Social Security number etc.
Therefore, encryption will need to cover the data you know about in documents and spreadsheets on computers, and the data you may not be aware of: background copies that are downloaded to the computer hard-drive by apps even when processing cloud-based data; the copies shared between staff and third party subcontractors on removable media; hidden data such as author details embedded in documents; IP addresses embedded in emails; and login credentials stored by browsers. This is where the AlertSec service plays a critical role.
AlertSec provides strong protection against accidental loss of all data on endpoint devices: on computers and removable media, in files and documents, embedded in emails and browsers. The Alertsec Service enables your organization to:
- encrypt all data on computers and removable media (USB sticks/drives etc.), which includes any embedded information and meta data on the device
- extend encryption to third party data processors and enforce data protection code of conduct agreements
- address many GDPR requirements for technical measures for integrity, confidentiality and protection against accidental loss of personal data
- enable data processors (service providers) to take appropriate security measures for data protection
- provide some organizational measures to support GDPR principles
- deploy and manage compliance through a cloud management tool
- demonstrate the adoption and implementation of data protection measures
GDPR is a significant upgrade and replacement for previous rules in the Data Protection Directive and introduces new data protection requirements on organizations inside and outside the EU.
The changes include (but are not limited to):
- Expanded geographic scope of EU regulations: organizations not based in the EU may still need to meet GDPR data protection requirements;
- New obligations on data controllers: for example erasing personal data if required (the “right to be forgotten”), and demonstrating the adoption of protection measures and privacy policies;
- New legal obligations for data processors (service providers): for example, being accountable for data breach notification and paying significant fines for non compliance;
- Safe Harbor replacement by Privacy Shield: companies need to self-certify to join the new framework;
- New definitions of personal and data: compliance with other legislation such as HIPAA may not be sufficient for GDPR compliance;
- New trigger for breach notification: GDPR expands the definition of a breach to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
- Increased fines: data controllers and processors can be fined up to €20million or 4% of total annual worldwide turnoverfor non-compliance.
This text focuses on the General Data Protection Regulation (GDPR) that will come into force in May 2018.
The information in this text is not exhaustive. Our aim is to provide an overview of the major changes that will be relevant to small and mid-sized businesses. There are some new GDPR obligations, such as the need to appoint a data protection officer and maintaining records of data processing activities, which are not covered below as they apply only to particular industry sectors, or to organizations with more than 250 employees.