Data Breaches in a Post-GDPR Era

In a few short months, the EU General Data Protection Regulation (GDPR) will go into effect, subjecting all businesses collecting and processing EU citizen’s data to a new set of stringent regulations. Not only are the penalties for non-compliance higher than ever, steep fines of up to 20 million Euros or 4% of total global turnover, but if 2017 is anything to go by, the number and scale of breaches can only be expected to increase. IT leaders should be prepared not only for customers to hold them accountable but also for the expanded powers of data regulators to enforce penalties should a breach occur.

Under the new regulation, organizations can no longer wait weeks or months to announce a breach. Starting in May of 2018, any discovered breach of EU citizens’ private data must be reported to the appropriate authorities within 72 hours. Even if the incident occurred at a data processor, such as a cloud service provider, businesses collecting the information are considered data controllers under the new law and therefore are still the party responsible for submitting a formal notification once they have been made aware of the breach.

While in the past breach notifications, if a company chose to make one at all, have followed no official format, GDPR seeks to formalize the process moving forward in article 33 of the regulation and requires data controllers to include the following in the report they submit to the authorities:

  1. describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

  2. communicate the name and contact details of the data protection officer orother contact point

    where more information can be obtained;

  3. describe the likely consequences of the personal data breach;

  4. describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

If, after submitting the report, it’s determined that the information accessed in the breach is sensitive enough to cause risk to the data subjects, a company may be required to submit an additional notification to the impacted individuals, an activity that will cost a business not only resources but also brand reputation.

However, the regulation specifies steps that IT security teams can take to ensure a breach notification is not required, most notably “if the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.”

Encryption, in particular, has been used for years as an effective on-premises strategy to ensure data protection. However, few organizations have extended encryption capabilities to the ever-increasing amount of data they are sending to cloud service providers.

While the regulation is vague and non-prescriptive overall about other ‘appropriate safeguards,’ encryption and the pseudonymization of sensitive data is explicitly called out as a means of reducing risk. Data that is appropriately pseudonymized, of which encryption is an effective means of doing so as long as the key remains completely separated from the data, can help organizations demonstrate to authorities and consumers that they are taking appropriate steps to protect sensitive information.

Recently we’ve spoken with several organizations who, thinking it would be impossible to extend any encryption controls to the cloud and maintain service functionality, outright banned the use of IT-sanctioned cloud services in their environments with GDPR on the horizon. Though this approach would allow them exclusive control over their company’s sensitive data, it would also deprive them of the competitive benefits the cloud has to offer.

The Vaultive Cloud Security Platform encrypts data before it’s transmitted to the cloud using keys that remain under the exclusive control of the data owner.

Moreover, Vaultive encryption preserves features to provide a seamless experience for application users, without weakening the core encryption algorithm and can be configured for any cloud service or custom web application without the need for additional development.

Control of and access to the data (by means of the encryption keys) remains with the customer. Even if a cloud service loses data in a breach, or is forced to hand over data in the event of a government subpoena, the result is unintelligible since the data is encrypted and the keys are stored safely elsewhere. This approach simplifies GDPR readiness by ensuring that information is never vulnerable and exposed to a cloud service provider, regardless of the location of the provider’s infrastructure and can significantly reduce or completely remove the need for a formal breach notification under GDPR.

Get in touch today to discuss how we can help you ready your cloud environment before the May deadline.

 

Tags:
,