The clock is ticking and the GDPR is coming to a jurisdiction near you. Although it was created by the EU, most businesses realize that the General Data Protection Regulation, which takes effect in May 2018, will have global reach, covering not just data in Europe, but the personal information of European citizens and residents – wherever it is globally.
The GDPR is large and complex, and has a broad range of requirements for organizations. But at its core, (and its middle two initials), is Data Protection. The overriding goal of the regulation is to protect personal data and to ensure that the responsible controllers provide continuous and ongoing protection for sensitive personal information.
The core data protection requirements of the GDPR are broad and mandate that organizations take responsibility, follow industry best practices, and proactively take steps to protect sensitive data that they control. But the good news is that if you can demonstrate that you have protected sensitive data adequately, the impact of the GDPR and overall audit scope can be significantly reduced.
Here are six issues we recommend to keep in mind as you get ready for the GDPR:
1. The Cloud is a Challenge
The Cloud has been a lightning rod for data privacy issues globally, and the dramatic increase in cloud use poses a direct challenge to any country’s data sovereignty. By its nature, data in cloud applications is outside of your direct control, and you can’t guarantee that it won’t cross national boundaries, or be accessible in multiple regions.
The rapid adoption of cloud applications raises many security and data privacy issues. Even with the best cloud providers, you can’t guarantee security if you don’t know where your data is or who might have access to it. While you may generally trust your cloud provider, you don’t want to include external people and processes that you don’t control in the scope of your compliance audits.
2. The Controller is Always Responsible
If you put regulated data in the cloud, you cannot shirk responsibility for protecting it. While data processors may have some limited contractual responsibility, if there is a data breach, regardless of who is at fault, you will bear the full brunt of sanctions, public breach disclosure and penalties.
In fact, the GDPR is quite explicit that the controller must implement “appropriate technical and organization protection measures”. This strongly suggests that you cannot rely on third parties such as cloud providers to take care of security, because that can leave many gaps and exposure points.
3. Understand Pseudonymization
Just spelling it can be difficult, but pseudonymization is a key concept, and can help you meet many GDPR requirements, if it’s properly implemented. The word is a mashup of “pseudonym” and “anonymization” and refers to various technologies that can obscure, encode, or mask sensitive data. But the term is most commonly associated with encryption or tokenization. The goal of pseudonymization is to effectively anonymize sensitive data. If personal data is truly anonymized then it can’t directly or indirectly identify a specific person, and the GDPR no longer applies.
Techniques like encryption and tokenization are very effective at anonymizing data, but there is a critical requirement that the GDPR recognizes. When the data is protected, there is a secondary piece of information (typically an encryption key or token database) that can unlock and restore the protected information. The GDPR wisely requires that the data protection steps are taken by the controller, and the additional information (such the key) is kept separately. Just like when you lock your house, you don’t leave the keys in the lock, to effectively pseudonymize data, the encryption keys must be held exclusively by the controller, and not be accessible by the cloud provider that stores the encrypted data.
4. Avoid Breach Notification
This concept originated with U.S. State laws and is now required in almost every state, and many federal regulations like HIPAA. It requires that if there is a public breach of any type or size, the public must be notified. This requirement has been the “big stick” in forcing organizations to proactively protect data and try to avoid the disaster of a public breach disclosure.
There has been far less public news about data breached in Europe, because to date, mnost European countries have not implemented public breach notification, preferring to have regulators assess and evaluate data breaches. But this is changing and the GDPR not requires notification within 72 hours if there is a data breach.
But the good news is that if there is a loss of data has been adequately pseudonymized, and the controller has retained the keys, then it does not constitute a breach and does not require notification.
5. Privacy by Design and by Default
These are central tenets to the GDPR that data controllers must proactively take all reasonable steps to protect sensitive information and follow evolving industry best practices. The GDPR specifically calls out encryption as one of these best practices that should be used by default, and that these security measures should be applied “as soon as possible”, meaning that you should not wait for a third-party to protect information that your organization controls.
As technology changes, there will be of course, varying opinions by regulators and auditors as to what is a reasonable best practice. But encryption is well understood and accepted as an important technology experts such as ENISA (The European Union Agency for Network and Information Security) have put out specific guidance on how to implement it properly for the GDPR:
The encryption/embedding and decrypt/recovery operations must be carried out locally, because the keys used in them must remain in the power of the user if any storage privacy is to be achieved. Outsourced bulk data storage on remote “clouds” is practical and relatively safe, as long as only the data owner, not the cloud service holds the decryption keys.
6. Reducing Audit Scope
No doubt the GDPR will create a lot of work for any affected organization, and anything that reduces the scope of people and processes covered will be welcomed. Using cloud applications poses a number of specific compliance challenges. For example the GDPR requires that the controller must assess how data is being handled by the processor, supervise the implementation of security measures, and routinely audit the processor.
The reality is that these steps are difficult or impossible with most cloud providers, who will not let most clients provide specific security instruction and will not allow outsiders to conduct audits. The mere idea of including an outside cloud provider in the scope of your security audits multiplies the complexity of compliance. The bottom line is that any cloud provider has large numbers of people and processes that can touch your data, but you have no visibility or control over.
The benefits of protecting regulated data before it leaves your organization, and controlling the process and keys, not only improves security, but can dramatically reduce burdensome and often futile audit requirements, but eliminating the cloud providers from the audit scope of the GDPR.