EU GDPR Compliance
GDPR takes a non-prescriptive approach when it comes technology, but organizations must show they have taken appropriate measures to ensure the security and privacy of EU citizens and prevent unlawful access. Experts anticipate that the market will define standards over time, but organizations should expect that confirming that encryption measures are in place to secure and control data will be among the first steps that regulators and legal teams will take while investigating GDPR compliance.
The Vaultive Cloud Security Platform is a unified security and governance solution that helps IT security teams proactively protect sensitive user activities and data across an organization’s cloud footprint through a powerful combination of encryption and policy controls. Our approach simplifies GDPR compliance by ensuring that information is never vulnerable and exposed on a cloud service, regardless of the location of the provider’s infrastructure. Control of and access to the data (by means of the encryption keys) remains with the person ultimately responsible for data security under GDPR, you, the customer.
Vaultive encrypts data before it is transmitted to the cloud using keys that remain under the exclusive control of the data owner.Data is encrypted using industry-standard AES-256 encryption for optimal security and performance. The Vaultive platform also appends special protected metadata that allows essential server-side functions like indexing, search queries, and data sorts to be performed without ever decrypting the core data payload in the cloud.
It also protects the statelessness of the Vaultive platform by removing the need for any on-premises data index. This greatly simplifies infrastructure scaling and failover.
Under the GDPR, requirements for breach notifications have become much stricter. Organizations using strong encryption and policy controls cannot only demonstrate they are taking appropriate steps to mitigate risk, but also reduce the impact of a breach, saving brand reputation and financial resources by reducing the notification required if a data breach occurs.
In addition to simplifying GDPR compliance, automatically encrypting data before cloud exposure and enforcing policy-controls ensures Segregation of Duties. This is a must when it comes to best-practice cloud security. By defining clear roles, an organization can clearly position itself as the data controller and leave the cloud service provider (CSP) to what they do best as a data processor, delivering and maintaining applications and infrastructure.
GDPR places limitations on data transfers in order to protect the data and privacy of EU citizens. By encrypting data before it leaves your trusted network and choosing a solution that supports multiple keys, an organization can ensure that data originating from a specific country is never exposed as cleartext outside that territory and that the encryption keys to unlock it reside only within the organization’s jurisdiction. This is a simple way for organizations to address data transfer requirements without the limitations of local data centers.
Some critics predict that providers may be viewed as controllers due to their standard operations of collecting data for analytics and troubleshooting. Organizations can overcome uncertainty around evolving roles by ensuring their CSP never has access to their cleartext data.