GDPR: Many companies are not aware of the challenge – Business Value Exchange

Monday, September 5, 2016  |  Written by: Stefan Gneiting 

The European General Data Protection Regulation (GDPR) has been adopted and will take effect after a two-year transitional period, in May 2018. In this interview Uwe Wohler, Lead Solution Consultant at HP Enterprise Security Services (HPE), and Holger Moenius, Regional Sales Director at CipherCloud discuss why companies should plan in detail how to comply with the GDPR and what solutions and procedures are already available today to help prepare for the new regulation.

The new European privacy regulation was adopted in May. The aim is to improve data protection and to give consumers control over their own data. Who is affected by the provisions of this regulation?

Uwe Wohler: Any company that works with personal data has to deal with the GDPR – that is likely to be almost all companies. This could include personal data or address data of customers, as well as corporate personnel data in HR departments. Many companies that will be affected are not yet aware of the implications.

The European Commission has set a transitional period until May 2018, when the GDPR takes effect. Is there enough time to implement the requirements?

"The two-year transitional period puts all companies under pressure to act."  Uwe Wohler, Lead Solution Consultant at HP Enterprise Security Services

“The two-year transitional period puts all companies under pressure to act.”
Uwe Wohler, Lead Solution Consultant at HP Enterprise Security Services

Uwe Wohler: Two years is a relatively short time frame for planning and implementation of appropriate measures and companies should lose no time in dealing as quickly as possible with the GDPR. There are some industries like banking and insurance, that have dealt already with stringent privacy policies because of regulatory requirements and internal compliance requirements; others such as the automotive industry are still far from ready. Overall, the two-year transition period puts all companies under pressure to act.

Holger Moenius: Any organization that outsources data to the cloud has to deal with the Privacy Policy and the European Privacy Regulation. Some of these requirements also mandate that sensitive data not leave the country. In this case, tokenization is a prudent measure to play it safe. Then you only have to worry about the location of the token database, which stays on-premises and in-country with a Cloud Security Gateway.

If tokenization of sensitive data puts you on the safe side with respect to the data protection laws, is this a universal solution?

Holger Moenius: Tokenization is a very powerful solution, but not suited for all purposes. Generally it is useful when a company wants the benefits of a cloud application for structured data, such as CRM or ITSM, but sensitive data cannot leave the company boundaries. But when it comes to protecting unstructured data in collaboration environments such as Office 365 SharePoint Online, OneDrive, Google Drive and Box, then it makes sense to rely on encryption, because of the wide range of data processes and user access to collaboration tools. To summarize, tokenization can meet the strictest data residency requirements, but both encryption and tokenization can help with compliance. We are currently the only provider on the market that can offer both methods in parallel.

Uwe Wohler: For data security, there are usually a wide range of technologies that must be tailored to the individual circumstances of each company. Tokenization and encryption are important tools for data protection, but you also need to defend your of networks against cyber-attacks and account hijacking. In order to put together the right package of measures, it is important that a comprehensive assessment takes place to determine each company’s needs.

What are the important stages in a data privacy project?

Uwe Wohler: As I already mentioned, at the beginning there should always be an assessment. Here, the dataset needs to be analyzed and categorized. It is not effective to protect all data equally, because the effort would be too great. Companies need to determine their most valuable data as well as data that needs to be protected due to regulations. This leads to a strategy on how to secure data appropriately. One also needs to consider the form of the data; if there are files, databases, or entire servers, which must be protected. On this basis you can make the technology choices: server encryption, data encryption, tokenization, encryption gateways, etc. Finally, for the implementation stage, we bring in specialized security vendors such as CipherCloud.

“Because encryption keys and token data never leave the company, cloud providers have no access to protected data.” Holger Moenius, Regional Sales Director at CipherCloud

“Because encryption keys and token data never leave the company, cloud providers have no access to protected data.”
Holger Moenius, Regional Sales Director at CipherCloud

Holger Moenius: This is exactly how CipherCloud partners with HPE. HPE brings its independent consulting expertise and CipherCloud delivers expertise in implementing data protection solutions.

What is an implementation process for CipherCloud’s technology?

Holger Moenius: The CipherCloud Cloud Security Gateway is typically installed as a reverse proxy within a customer’s corporate network. This ensures sensitive data stream is encrypted before it leaves the enterprise boundary. Since the encryption keys always remains within the company, no third party, or cloud provider can access the data. Because this is an on-premises solution, the company manages the security gateway, or works with a service provider like HPE.  CipherCloud also provides a hosting model with key management remaining with the customer.