The Regulation

The General Data Protection Regulation (GDPR) is the new data protection regulation from the EU, released in May 2016 with an implementation date of May 25, 2018. The GDPR takes data protection to an entirely new level.

It is difficult to overstate the importance of the GDPR. First, it is very wide-ranging, and;

Will impact almost every organization that is based in the EU, as well as every organization that does business in the EU, even if based abroad.

Second, the GDPR is extremely serious. For too long, EU legislators and DPAs have felt that organizations do not take their data protection responsibilities seriously enough, and;

The GDPR dramatically increases the maximum penalties for non-compliance to the greater of €20 million, or four percent of worldwide turnover—numbers that are specifically designed to attract C-Suite attention.

Third, the GDPR raises the bar for compliance significantly. It requires greater openness and transparency;

It imposes tighter limits on the use of personal data; and it gives individuals more powerful rights to enforce against organizations.

Satisfying these requirements will prove to be a serious challenge for many organizations.

The rules will govern how private customer data is transmitted, stored and processed and will have implications for cloud-based data solutions. Among the requirements are the following:

  1. Ensuring appropriate data security through the implementation of technical and organizational measures including “pseudonymisation and encryption of personal data”
  2. Putting in place testing, assessing and evaluation procedures to check the effectiveness of the data security measures
  3. Communicating data breaches “without undue delay” to the subjects who have had their personal data exposed, when the data breach is likely to affect the rights and freedoms of the subjects

Based on examples from the United States, companies forced to report data breaches to their customers suffer reduced profits, lower stock prices and job losses at the executive level. The GDPR add substantial fines to these risks and the rules have teeth. If you process the personally identifiable data of EU residents, you need to put in place effective additional security measures and get ready to comply.

CloudMask End-to-End protection

Industry Regulations

"Those organisations which thrive under GDPR will be those who recognise that the key feature of GDPR is to put the individual at the heart of data protection law." Will GDPR Change the World? - UK ICO 

CloudMask Dynamic Data Masking (DDM), runs on the end device where the data is created to protect the data end-to-end, no gateway needed. Data protection using CloudMask either complies with the GDPR requirements or avoids specific obligations by pseudonymising the data to remove the possibility of personal identification. The draft text on the obligation to notify subjects of a data breach states:

“The communication to the data subject … shall not be required if: … the controller has implemented appropriate technical and organisational protection measures … to the data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorized to access it, such as encryption....” Article 34 - EU GDPR

Because CloudMask with Dynamic Data Masking (DDM) encrypts sensitive data, the application satisfies the GDPR requirement for technical data protection measures. When a data breach exposes your data, it will be unintelligible to the unauthorized individual and you will not have to notify the subjects of the data breach. 

Your data is protected using the secret keys that you create. Keys reside only on your devices: Only with your keys can data be decrypted. They are never transmitted or shared with anyone. Watch Video

Encrypting Both Structured and Unstructured Data

Some of your customer data may be in databases in a structured format but you may also store unstructured data such as emails. CloudMask can encrypt many kinds of data, both structured and unstructured, and makes sure that personally identifiable information is encrypted wherever it might be found.

Testing, Assessing and Evaluating the Effectiveness of Data Security

To satisfy the evaluation requirements of the GDPR, CloudMask generates detailed security event logs that record an auditable trail of permitted and denied access attempts by users and processes. Such logs can provide an unprecedented insight into file access activities and they can record unusual or improper data access. The logs can form the basis for a Security Information and Event Management (SIEM) system to produce the security reports necessary for GDRP compliance and they can accelerate the detection of insider threats, hackers and the presence of advanced persistent threats (APT) past the security perimeter.

See the Potential with End-to-End Encryption for Google