What is the General Data Protection Regulation (GDPR)?

The European General Data Protection Regulation went into effect in May 2018 and organizations globally face dramatic increases in requirements to protect private information and severe penalties for breaches. Although it was created by the EU, the GDPR will have international reach, covering the personal information of European citizens – wherever it is distributed globally.

The cloud raises GDPR Challenges

The cloud has been a lightning rod for data privacy issues and often raises difficult compliance issues. Even with the best cloud providers, you can’t guarantee security if you don’t know where your data is or who might have access to it. CipherCloud restores your direct control over private data wherever it goes in the cloud. Our industry-leading encryption and tokenization solutions have been widely deployed to meet global compliance requirements and are ideally suited for the GDPR.

The Data Controller is Always Responsible for Securing Data

The GDPR is explicit that data controllers must implement “appropriate technical and organizational protection measures” to secure private data. If you put sensitive data in the cloud, you will always bear the risk of penalties if there is a data breach. But with CipherCloud you can proactively protect sensitive data and not risk exposure to outsiders, as required by the GDPR.

Avoid Breach Notifications

Public breach notification has long been required in the U.S. but it is new to Europe. The GDPR will require notification within 72 hours of any possible data breach. However, the law also states that if lost data has been adequately pseudonymized and the controller has retained the keys, then it does not constitute a breach and does not require notification. CipherCloud data protection can deliver enormous value by eliminating the disastrous impact of a public breach event.


It’s difficult to spell but is a critical part of the GDPR. Pseudonymization refers to technologies like encryption or tokenization that can mask sensitive data, making the data effectively anonymous and not subject to the regulation. But the law is explicit that encryption keys must be kept by the data controller – separate from the data storage. This means it’s not adequate for a cloud provider to do the encryption themselves if they have access to the keys. With CipherCloud, the customer always maintains exclusive control over encryption keys or token databases, making it a very effective solution for the GDPR.

Reduce Your Audit Scope

The GDPR will create lots of work for most organizations and anything that reduces audit scope is invaluable. The cloud poses specific auditing challenges because customers cannot directly assess or audit cloud provider practices. Additionally, there are inevitably large numbers of people and processes that can touch your data but over which you have no control. Using CipherCloud to protect regulated data before it leaves your organization while controlling the process and keys, can dramatically simplify GDPR compliance by eliminating cloud providers from the audit scope.

CipherCloud Helps GDPR Compliance with:

  • Strong encryption and tokenization for cloud data, meeting GDPR standards for data protection
  • Encryption keys controlled exclusively by customers, meeting “pseudonymization” requirements
  • Exemption from breach notification requirements by effectively anonymizing data
  • Technology specifically called for to meet Privacy by Design and Default principals
  • Dramatic reduction in audit scope by removing data exposure to cloud providers


See How CipherCloud Can Help Secure Your Data In The Cloud