GET READY FOR THE GDPR
MEET DATA PROTECTION REQUIREMENTS AND REDUCE YOUR AUDIT SCOPE
The European General Data Protection Regulation will take effect in May 2018 and organizations globally are preparing to face dramatic increases in requirements to protect private information and severe penalties for breaches. Although it was created by the EU, the GDPR will have international reach, covering the personal information of European citizens – wherever it is distributed globally.
The GDPR is large and complex but at its core is Data Protection. The overriding goal is to protect personal information and to ensure that organizations provide continuous and ongoing protection for sensitive data they control.
CipherCloud Helps GDPR Compliance With:
- Strong encryption and tokenization for cloud data, meeting GDPR standards for data protection
- Encryption keys controlled exclusively by customers, meeting “pseudonymization” requirements
- Exemption from breach notification requirements by effectively anonymizing data
- Technology specifically called for to meet Privacy by Design and Default principals
- Dramatic reduction in audit scope by removing data exposure to cloud providers
THE CLOUD RAISES GDPR CHALLENGES
The Cloud has been a lightning rod for data privacy issues and often raises difficult compliance issues. Even with the best cloud providers, you can’t guarantee security if you don’t know where your data is or who might have access to it.
CipherCloud restores your direct control over private data wherever it goes in the cloud. Our industry-leading encryption and tokenization solutions have been widely deployed to meet global compliance requirements and are ideally suited for the GDPR.
THE DATA CONTROLLER IS ALWAYS RESPONSIBLE
The GDPR is explicit that data controllers must implement “appropriate technical and organizational protection measures” to secure private data. If you put sensitive data in the cloud, you will always bear the risk of penalties if there is a data breach. But with CipherCloud you can proactively protect sensitive data and not risk exposure to outsiders, as required by the GDPR.
It’s difficult to spell, but is a critical part of the GDPR. Pseudonymization refers to technologies like encryption or tokenization that can mask sensitive data, making the data effectively anonymous and not subject to the regulation. But the law is explicit that encryption keys must be kept by the data controller – separate from the data storage. This means it’s not adequate for a cloud provider to do the encryption themselves if they have access to the keys.
With CipherCloud, the customer always maintains exclusive control over encryption keys or token databases, making it a very effective solution for the GDPR.
AVOID BREACH NOTIFICATION
Public breach notification has long been required in the U.S. but it is new to Europe. The GDPR will require notification within 72 hours of any possible data breach. However, the law also states that if lost data has been adequately pseudonymized and the controller has retained the keys, then it does not constitute a breach and does not require notification. CipherCloud data protection can deliver enormous value by eliminating the disastrous impact of a public breach event.
REDUCE YOUR AUDIT SCOPE
The GDPR will create lots of work for most organizations and anything that reduces audit scope is invaluable. The cloud poses specific auditing challenges because customers cannot directly assess or audit cloud provider practices. Additionally, there are inevitably large numbers of people and processes that can touch your data but over which you have no control.
Using CipherCloud to protect regulated data before it leaves your organization, while controlling the process and keys, can dramatically simplify GDPR compliance by eliminating cloud providers from the audit scope.
Osterman: GDPR Compliance & Data Protection
GDPR Data Protection & Compliance