Contact Us

EU Compliance: General Data Protection Regulation (GDPR)

EU Flag Banner - GDPR Compliance

EU Compliance Evolves

General Data Protection Regulation (GDPR) proposed by the European Commission will strengthen and unify data protection for individuals within the European Union (EU), whilst addressing the export of personal data outside the EU.

The announcement of an agreement to finalize GDPR was made in December 2015 and following a vote by the EU parliament, the compliance deadline for GDPR was set for May 2018. The GDPR requirements as well as the amount of internal collaboration that will be needed to address them means organizations need to plan for compliance now.  

The primary objective of the GDPR is to give citizens back control of their personal data.  Once GDPR takes effect it will harmonize previous and other data protection regulations throughout the EU.

Security Technologies for GDPR Compliance - GQM GRC White Paper Imagee

Data Compliance Experts address security needs arising from GDPR

Get the White Paper

GDPR Compliance Requirements

This EU compliance regulation will have a far reaching impact for organizations throughout the world. 

With the demise of Safe Harbor, U.S. companies that export and handle the personal data of European citizens will also need to comply with the new requirements put forth or be subject to the same consequences.

If your organization suffers a data breach, under the new EU compliance standard, the following may apply depending on the severity of the breach:

  • Your organization must notify the local data protection authority and potentially the owners of the breached records

  • Your organization could be fined up to 4% of global turnover or €20 million

EU StarsHowever, GDPR does provide exceptions based on whether the appropriate security controls are deployed within the organizations.  For example a breached organization that has rendered the data unintelligible through encryption to any person who is not authorized to access the data, is not mandated to notify the affected record owners. 

The chances of being fined are also reduced if the organization is able to demonstrate a “ Secure Breach” has taken place.

To address the GDPR compliance requirements, organizations may need to employ one or more different encryption methods within both their on-premises and cloud infrastructure environments, including the following:

  • Servers, including via file, application, database, and full disk virtual machine encryption.

  • Storage, including through network-attached storage and storage area network encryption.

  • Media, through disk encryption.

  • Networks, for example through high-speed network encryption.

In addition, strong key management is required to not only protect the encrypted data, but to ensure the deletion of files and comply with a user’s right to be forgotten. 

Organizations will also need a way to verify the legitimacy of user identities and transactions, and to prove compliance. It is critical that the security controls in place be demonstrable and auditable.

Gemalto offers the only complete data protection portfolio that works together to provide persistent protection and management of sensitive data, which can be mapped to the GDPR framework.

No single solution will make an organization GDPR compliant. The regulation is too broad – covering everything from governance to contractual obligations. However, Gemalto’s SafeNet portfolio of solutions can help organizations comply with the mandate’s data security obligations.

Security requirements are interspersed throughout the law’s text. They can be grouped along the following themes:

GDPR expects organizations to stay in control of their data to ensure that it is accessed and processed by authorized users only when appropriate. The control requirements are covered in Articles 5, 25, and 32.

According to GDPR organizations must:

  • Only process data for authorized purposes
  • Ensure data accuracy and integrity
  • Minimize subjects’ identity exposure
  • Implement data security measures

Encryption keeps data in an unreadable state unless a user or process presents the appropriate key. In accordance with GDPR, this simple control method can restrict data processing only for authorized use, and restrict the amount of time that people are identifiable by their data. Encryption also prevents unauthorized data manipulation; limiting data access to authorized users and monitoring key usage greatly reduces the ability for data to change without authorization. Organizations properly using encryption and its access controls can demonstrate their data’s integrity.

Multi-factor authentication is the first line of defense in any scenario. Strong authentication controls which users have access to the network and the resources found within. By assigning credentials to individuals, organizations can track access to resources to monitor internal risks. Multi-factor authentication also makes it more difficult for unauthorized users to access sensitive resources. For both known and unknown threats, multi-factor authentication raises the barriers to data access making it easier for an organization to stay in control of their data.

 
 

GDPR puts security at the service of privacy. Security obligations are covered in Articles 6, 25, 28, and 32. To preserve subjects’ privacy, organizations must implement:

  • Data protection by design and by default
  • Security as a contractual requirement with their partners and service providers
  • Encryption or pseudonymization
  • Security measures that respond to their risk assessment
  • Safeguards if they are to keep data for additional processing

GDPR specifically calls out encryption as a security requirement. In addition, organizations will need to conduct risk assessments and then adopt measures that mitigate the risks that they find. Since no organization can identify all of the risks to their data, and no perimeter security approach is foolproof, organizations should encrypt their data to ‘secure the breach’. With encryption, it doesn’t matter if there is a breach, data will be protected regardless.

Multi-factor authentication can control access to network resources used to process data. To safeguard data against unauthorized processing, organizations can assign and change authentication settings to restrict additional processing after the first instance is complete. It can also mitigate the risks identified in the organization’s risk assessment, or protect access to data as it is shared with third-party partners.

 

Even after data is collected, individuals still have a claim to, and a certain amount of control over, that data. ‘Right to Erasure’ is covered in Articles 17 and 28. GDPR requires organizations to completely erase data from all repositories when:

  • A data subject revokes their consent (‘Right to be forgotten’)
  • A partner organization requests data deletion
  • A service or agreement comes to an end

When an individual revokes consent to their data, an organization recalls data they’ve shared, or at the end of a service’s term, organizations will need to completely erase the concerned data. This is a difficult requirement because simply deleting data doesn’t fully remove it from disk. To fully comply, organizations can encrypt data and then delete the key. This data deletion method renders data completely and permanently unreadable.

 
 

Organizations must assess risks to privacy and security, and demonstrate they’re taking appropriate steps to keep privacy safe in light of their findings. These obligations are outlined in Articles 2, 24 and 28. To mitigate risks and perform due diligence, organizations must:

  • Conduct a full risk assessment
  • Implement measures to ensure and demonstrate compliance
  • Proactively help partners and customers comply
  • Demonstrate full data control

When an organization contracts with a partner or third-party service, they do not relinquish their responsibility to the data’s security. In fact, organizations will be contractually obligated to help each other with security and mitigate risks. Because encryption attaches security directly to the data, it assures the data’s safety and keeps the principal organization in control even after it’s out of the organization’s sights.

 
 

When a security breach threatens the rights and privacy of a data subject, organizations need to notify customers and their supervisory authority. Breach notification obligations are outlined in Articles 33 and 34. Under GDPR, organizations are obligated to:

  • Notify their supervisory authority within 72 hours
  • Describe the data breach’s consequences
  • Communicate the breach directly to data subjects

If a breach exposes unprotected data, organizations will need notify the supervisory authority for their region and the affected customers. However, if data is encrypted and key management best practices followed, organizations can avoid these notification obligations. Notification is only a requirement when the rights and freedoms of the data subject are at risk.

 
 

Download Gemalto’s GDPR eBook to see how Gemalto can help you identify the key aspects of GDPR and what steps to take to address its requirements.

The General Data Protection Regulation - GDPR Expanded Ebook Image

The General Data Protection Regulation

Get the Expanded Ebook

Are You Ready for GDPR? - Flyer

Get this resource

Learn More About EU Regulations

Getting started with GDPR, Privacy and Applying Appropriate Security Controls - Webinar

Getting started with GDPR, Privacy and Applying Appropriate Security Controls - Webinar

Join (ISC)² and Gemalto in this on-demand webinar to find out what you should know about the new General Data Protection Regulation: background, what is changing, penalties for getting it wrong, security implication and more.

Watch our on-demand webinar
EU Flag Thumbnail - GDPR Compliance Call to Action

Prepare for GDPR

From the physical and virtual data center to the cloud, Gemalto helps organizations remain protected, compliant, and in control. Gemalto encryption and cryptographic key management products enable organizations to secure sensitive data in databases, applications, storage systems, virtualized platforms, and cloud environments.

Contact us for help addressing GDPR
Back to Top

Contact Us

Thank you for your interest in our products. Please fill out and submit the form to receive more information about Gemalto or to be contacted by a Gemalto specialist.

Your Information

* Email Address:  
* First Name:  
* Last Name:  
* Company Name:  
* Phone:  
* Country:  
* State (US Only):  
* Province (Canada/Australia Only):  
Comments:  
 


By submitting this form I agree to receive information from Gemalto and its affiliates as described in our Privacy statement.