The General Data Protection Regulation (GDPR) is the new data protection regulation from the EU, released in May 2016 with an implementation date of May 25, 2018. The GDPR takes data protection to an entirely new level,
First, it is very wide-ranging, and;
Will impact almost every organization that is based in the EU, as well as every organization that does business in the EU, even if based abroad.
Second, the GDPR is extremely serious. For too long, EU legislators and DPAs have felt that organizations do not take their data protection responsibilities seriously enough, and;
The GDPR dramatically increases the maximum penalties for non-compliance to the greater of €20 million, or four percent of worldwide turnover—numbers that are specifically designed to attract C-Suite attention.
Third, the GDPR raises the bar for compliance significantly. It requires greater openness and transparency;
It imposes tighter limits on the use of personal data; and it gives individuals more powerful rights to enforce against organizations.
Satisfying these requirements will prove to be a serious challenge for many organizations.
The rules will govern how private customer data is transmitted, stored and processed and will have implications for cloud-based data solutions. Among the requirements are the following:
Based on examples from the United States, companies forced to report data breaches to their customers suffer reduced profits, lower stock prices and job losses at the executive level. The GDPR add substantial fines to these risks and the rules have teeth. If you process the personally identifiable data of EU residents, you need to put in place effective additional security measures and get ready to comply.
"Any business with data in the cloud needs to take adequate precautions and controls. If someone else is processing your data the risks of GDPR exposure are huge. Even if it's encrypted at rest, when it's processed it gets decrypted and can be accessible in many forms - in memory, logs, cached, temporary storage, or search results."
CloudMask Dynamic Data Masking (DDM), runs on the end device, where the data is created, to protect the data end-to-end, no gateway needed. Data protection using CloudMask either complies with the GDPR requirements or avoids specific obligations by pseudonymising the data to remove the possibility of personal identification. The draft text on the obligation to notify subjects of a data breach states:
“The communication to the data subject … shall not be required if: … the controller has implemented appropriate technical and organisational protection measures … to the data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorized to access it, such as encryption....” Article 34 - EU GDPR
Because CloudMask with Dynamic Data Masking (DDM) encrypts sensitive data, the application satisfies the GDPR requirement for technical data protection measures. When a data breach exposes your data, it will be unintelligible to the unauthorized individual and you will not have to notify the subjects of the data breach.
Your data is protected using the secret keys that you create. Keys reside only on your devices: Only with your keys can data be decrypted. They are never transmitted or shared with anyone. Watch Video
Encrypting Both Structured and Unstructured Data
Some of your customer data may be in databases in a structured format but you may also store unstructured data such as emails. CloudMask can encrypt many kinds of data, both structured and unstructured, and makes sure that
Testing, Assessing and Evaluating the Effectiveness of Data Security
To satisfy the evaluation requirements of the GDPR, CloudMask generates detailed security event logs that record an auditable trail of permitted and denied access attempts by users and processes. Such logs can provide an unprecedented insight into file access activities and they can record unusual or improper data access. The logs can form the basis for a Security Information and Event Management (SIEM) system to produce the security reports necessary for GDRP compliance and they can accelerate the detection of insider threats, hackers and the presence of advanced persistent threats (APT) past the security perimeter.