EU Compliance Evolves
General Data Protection Regulation (GDPR) proposed by the European Commission will strengthen and unify data protection for individuals within the European Union (EU), whilst addressing the export of personal data outside the EU.
The announcement of an agreement to finalize GDPR was made in December 2015 and following a vote by the EU parliament, the compliance deadline for GDPR was set for May 2018. The GDPR requirements as well as the amount of internal collaboration that will be needed to address them means organizations need to plan for compliance now.
The primary objective of the GDPR is to give citizens back control of their personal data. Once GDPR takes effect it will harmonize previous and other data protection regulations throughout the EU.
GDPR Compliance Requirements
This EU compliance regulation will have a far reaching impact for organizations throughout the world.
With the demise of Safe Harbor, U.S. companies that export and handle the personal data of European citizens will also need to comply with the new requirements put forth or be subject to the same consequences.
If your organization suffers a data breach, under the new EU compliance standard, the following may apply depending on the severity of the breach:
However, GDPR does provide exceptions based on whether the appropriate security controls are deployed within the organizations. For example a breached organization that has rendered the data unintelligible through encryption to any person who is not authorized to access the data, is not mandated to notify the affected record owners.
The chances of being fined are also reduced if the organization is able to demonstrate a “
Secure Breach” has taken place.
To address the GDPR compliance requirements, organizations may need to employ one or more different encryption methods within both their on-premises and cloud infrastructure environments, including the following:
Servers, including via file, application, database, and full disk virtual machine encryption.
Storage, including through network-attached storage and storage area network encryption.
Media, through disk encryption.
Networks, for example through high-speed network encryption.
In addition, strong key management is required to not only protect the encrypted data, but to ensure the deletion of files and comply with a user’s right to be forgotten.
Organizations will also need a way to verify the legitimacy of user identities and transactions, and to prove compliance. It is critical that the security controls in place be demonstrable and auditable.
Gemalto offers the only complete data protection portfolio that works together to provide persistent protection and management of sensitive data, which can be mapped to the GDPR framework.
Download Gemalto’s GDPR eBook to see how Gemalto can help you identify the key aspects of GDPR and what steps to take to address its requirements.