The European General Data Protection Regulation went into effect in May 2018 and organizations globally face dramatic increases in requirements to protect private information and severe penalties for breaches. Although it was created by the EU, the GDPR will have international reach, covering the personal information of European citizens – wherever it is distributed globally.
The cloud has been a lightning rod for data privacy issues and often raises difficult compliance issues. Even with the best cloud providers, you can’t guarantee security if you don’t know where your data is or who might have access to it. CipherCloud restores your direct control over private data wherever it goes in the cloud. Our industry-leading encryption and tokenization solutions have been widely deployed to meet global compliance requirements and are ideally suited for the GDPR.
The GDPR is explicit that data controllers must implement “appropriate technical and organizational protection measures” to secure private data. If you put sensitive data in the cloud, you will always bear the risk of penalties if there is a data breach. But with CipherCloud you can proactively protect sensitive data and not risk exposure to outsiders, as required by the GDPR.
Public breach notification has long been required in the U.S. but it is new to Europe. The GDPR will require notification within 72 hours of any possible data breach. However, the law also states that if lost data has been adequately pseudonymized and the controller has retained the keys, then it does not constitute a breach and does not require notification. CipherCloud data protection can deliver enormous value by eliminating the disastrous impact of a public breach event.
It’s difficult to spell but is a critical part of the GDPR. Pseudonymization refers to technologies like encryption or tokenization that can mask sensitive data, making the data effectively anonymous and not subject to the regulation. But the law is explicit that encryption keys must be kept by the data controller – separate from the data storage. This means it’s not adequate for a cloud provider to do the encryption themselves if they have access to the keys. With CipherCloud, the customer always maintains exclusive control over encryption keys or token databases, making it a very effective solution for the GDPR.
The GDPR will create lots of work for most organizations and anything that reduces audit scope is invaluable. The cloud poses specific auditing challenges because customers cannot directly assess or audit cloud provider practices. Additionally, there are inevitably large numbers of people and processes that can touch your data but over which you have no control. Using CipherCloud to protect regulated data before it leaves your organization while controlling the process and keys, can dramatically simplify GDPR compliance by eliminating cloud providers from the audit scope.