If you are in the IT business and you have not yet heard of General Data Protection Regulations (GDPR), you might need to read this blog ASAP. If you have heard of it but are not sure what it is all about…same as above.
Like most government regulations, GDPR is long and uses words that are even longer. If you have your pocket data dictionary handy, you can try to look up some of the more obfuscatory terms but very likely will not find them. There are a few benefits to spending some time understanding this regulation, officially called “Regulation (EU) 2016 679.”
GDPR was passed by the European Commission, The Council of the European Union and the European Parliament. It is broad in its scope and reach across the EU, and consequences for non-compliance can be severe. If you are now worried that you may be out of compliance because you have not even read it yet, do not get your knickers in a twist. Although the GDPR was passed in April of 2016, it does not take effect until May, 2018. So in the meantime, let’s take a quick look at the purpose, scope and non-compliance consequences.
According to Wikipedia, GDPR is a regulation intended to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objective of the regulation is to give residents control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
In general, regulatory compliance can be cumbersome and costly. The GDPR however, unifies data protection regulations across the EU, making it easier for international companies to understand and comply with one, rather than many, conflicting regulations. However, the penalty for non-compliance can be pretty severe. Sanctions for breach can range from a warning for first offense or non-intended non-compliance to fines up to 20,000,000 EUR for more severe cases.
Organizations that collect data from EU residents (controllers) and organizations that process data on behalf of controllers (processors) such as cloud service providers and similar contractors are governed by this regulation. Even organizations based outside the EU that collect personal data responsible for GDPR compliance. It does not matter if your organisation is small or global. If your business is deemed a “controller” or a “processor”, you must comply with GDPR.
According to Florian Douetteau, CEO at Dataiku, here are four key steps to get ready for GDPR compliance:
Application: As stated above, all companies processing or controlling personal data that have customers in the EU need to comply. Even companies in the UK, post-Brexit, who have customers in the EU will be governed by GDPR.
Data subjects rights: Data subjects are customers who provide personal data to a company. Data subjects have expanded privacy rights including the right of erasure, the right to access their data, and to question decisions made purely on algorithmic basis.
Internal record keeping requirements: There are specific record keeping requirements that may include the appointment of a Data Protection Officer.
So, you have been reading a lot about GDPR, but have not seen anything yet about pseudonymisation or anonymisation. Remember how government regulations often use long words to define a relatively simple concept? Here is an example: pseudonymisation is a word to describe encryption or other methods of disguising data so it can not be attributed to a specific data subject without a key. Further, the key must be kept separately from the pseudonymised data. Thus, the data will be effectively anonymized.
Of course there are many other requirements for GDPR compliance such as 'Privacy by Design and Default', 'Data Portability', 'Data Breach Notification' and more. Certain appliances such as Data Loss Protection and Intrusion Prevention Systems, may assist in protection from what can be very expensive breaches and sanctions for non-compliance. These appliances can be simply and safely attached to data links by using TAPs and packet Brokers without risking network performance. So, while you are preparing for GDPR compliance coming next year, be sure your perimeter protection is also up-to-date with appropriate traffic visibility and link security. For more information on visibility and perimeter protection, go to www.networkcritical.com.
It might be a little bit of a challenge working pseudonymisation into a cocktail party dialog. However, if you can, your friends will be gobsmacked.