The new privacy regulation takes effect after a two-year period, on May 25, 2018 and does not require separate adoption by each EU country. “The transition period of two years is relatively short in view of the large number of regulations and complexity of data protection in practice. This will force those responsible to immediately assess the impact of the GDPR on their businesses and plan to take appropriate measures,” says Uwe Wohler, lead Solutions Consultant at HP Enterprise (HPE).
Stiff penalties as a deterrent
If companies fail to take appropriate measures by the deadline, they could face stiff penalties of up to 4 percent of total worldwide annual revenue, or at least 20 million Euros. The data protection authorities of each country will determine the exact penalties, but the GDPR expressly requires that each supervisory authority ensure that the fines “in each individual case are proportionate and dissuasive”.
Almost all companies that do business with EU citizens are affected by the new regulation as today’s digital economy inevitably involves the processing and storage of personal data. The definition of personal data is broad including “all the information that makes persons identifiable” including names, addresses, account information, and other online identifiers as well as personal characteristics including “the expression of physical, physiological, genetic, mental, economic, cultural or social identity of an individual”.
Pseaudonyms and encryption
While the European Parliament leaves it largely up to the company to determine how to ensure privacy, the regulation requires “appropriate technical and organizational measures”. However, there are also indications that the legislators expect companies to follow current best practices and they specifically list the use of encryption and pseudonyms as suitable methods to achieve adequate levels of protection.
The GDPR defines the use of pseudonyms as “the processing of personal data in a way that it can no longer be assigned to a specific person” and requires that additional identifiable information be kept separately and be “subject to technical and organizational measures, to ensure that the data is not allocated to an identifiable natural person “.
Tokenization: a safe approach
One approach to meet the requirements of large parts of the GDPR is tokenization. In this process, sensitive personal data is replaced with randomly generated tokens before it is processed or stored by third-parties, such as cloud providers. The original identifiable data and token maps are stored locally in a database controlled exclusively by the company responsible for the data. Security vendors such as CipherCloud offer solutions designed to automatically tokenize sensitive data. Unlike encryption, with tokenization, there is no mathematical relationship to the between the original data and the random tokens. This dramatically reduces the risk of data being compromised.
Tokenized data maintains the same data structure – for example a credit card number of “4362 4890 2300 8650” could be replaced by the token “4362 0405 3604 8650” making it unusable by data thieves. Because the data structure does not change the process does not interfere with external applications or processes, enabling tokens to function just like the original data.
According the CipherCloud, this method is widely used and proven in regulated industries. For example, at least 40 percent of the banks and financial service providers already use tokenization to protect sensitive personal data such as social security numbers, dates of birth and tax numbers.
Protection against access by service providers and government organizations
If the data is tokenized properly, this can also meet the requirements of the GDPR regarding the transfer of personal data to third countries outside the European Union or international organizations. “The protection of data by encryption or tokenization before it is transferred to the cloud, is a good step to prevent legal challenges for any companies that are thinking about implementing a cloud solution,” write to Dr. Patrick Van Eecke, Partner at the international law firm DLA Piper, in a White Paper. The key part of this statement is “before it transfers to the cloud.”
However, if you leave encryption the cloud provider, then a third-party can access the keys and could thus restore the original data again. “If the cloud provider is not in possession of the decryption key, then the customer can be reasonably sure that the data is safe from government intervention” Van Eecke continues. This addresses the concerns of IT managers are invalidated, who fear that they will give control of sensitive data to cloud applications.
Complete package of measures to protect data
While tokenization is powerful, it is not all-purpose solution. “Tokenization is ideal when it comes to protecting structured data within databases, such as a CRM,” explains Holger Moenius, Regional Sales Director at CipherCloud. “But to protect files, and other unstructured data, then it makes sense to consider encryption.”
Tokenization and encryption are elements of a comprehensive package of security measures which can help meet the legal requirements for protection of personal data and company data. “Data security is always about a range of technologies that must be tailored to the individual circumstances of each company,” emphasizes HPE manager Wohler, whose company has recently entered into a technology partnership with CipherCloud.