EU GDPR Compliance
GDPR takes a non-prescriptive approach when it comes technology, but organizations must show they have taken appropriate measures to ensure the security and privacy of EU citizens and prevent unlawful access. Experts anticipate that the market will define standards over time, but organizations should expect that confirming that encryption measures are in place to secure and control data will be among the first steps that regulators and legal teams will take while investigating GDPR compliance.
Under the GDPR, requirements for breach notifications have become much stricter. Organizations using strong encryption, policy control, and auditing features can not only show they are taking appropriate steps to mitigate risk, but also to reduce breach impact, and to save brand reputation and financial resources by reducing the notification required if a data breach occurs.
In addition to simplifying GDPR compliance, automatically encrypting data before cloud exposure and enforcing policy-controls ensures Segregation of Duties. This is a must when it comes to best-practice cloud security. By defining clear roles, an organization can clearly position itself as the data controller and leave the cloud service provider (CSP) to what they do best as a data processor, delivering and maintaining applications and infrastructure.
GDPR places limitations on data transfers in order to protect the data and privacy of EU citizens. By encrypting data before it leaves your trusted network and choosing a solution that supports multiple keys, an organization can ensure that data originating from a specific country is never exposed as cleartext outside that territory and that the encryption keys to unlock it reside only within the organization’s jurisdiction. This is a simple way for organizations to address data transfer requirements without the limitations of local data centers.
Some critics predict that providers may be viewed as controllers due to their standard operations of collecting data for analytics and troubleshooting. Organizations can overcome uncertainty around evolving roles by ensuring their CSP never has access to their cleartext data.