General Data Protection Regulation (GDPR) compliance

GDPR overview

The General Data Protection Regulation is here. The GDPR is designed to improve personal data protections and increase organisational accountability for data breaches. With potential fines of up to four percent of global revenues or 20 million EUR (whichever is higher), the regulation certainly has teeth. No matter where your organisation is located, if it processes or controls the personal data of EU residents, you need to be ready.

Specific requirements

Some of the key provisions of the GDPR require organisations to:

• Process personal data in a manner that ensures its security, “including protection against unauthorised or unlawful processing” (Article 5)
• Implement technical and organisational measures to ensure data security appropriate to the level of risk, including “pseudonymisation and encryption of personal data". (Article 32)
• Have in place "a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing". (Article 32)
• Communicate “without undue delay” personal data breaches to the subjects of such breaches "when the breach is likely to result in a high risk to the rights and freedoms" of these individuals. (Article 34)
• Safeguard against the "unauthorised disclosure of, or access to, personal data". (Article 32)

Encrypt both structured and unstructured data

CipherTrust Transparent Encryption provides the kind of "state of the art" file-based data protection the GDPR specifies. Using CipherTrust Transparent Encryption, your organisation can render private data unintelligible to a cyber-intruder even in the event of a breach, thereby avoiding the breach notification requirement outlined in Article 34.

The Article states that notification to the data subject shall not be required if the organisation "has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption".

In addition to avoiding a costly breach notification process, you can prevent substantial reputational damage resulting from a publicised breach.

Prevent unauthorised access to personal data

Thales products and solutions help our customers prevent unauthorised access to personal data, thus enabling compliance with Article 32. Specifically, our CipherTrust Data Security Platform enables separation of duties between privileged administrators and data owners and supports two-factor authentication.

Test, assess and evaluate data security effectiveness

CipherTrust Security Intelligence produces detailed security event logs that are easy to integrate with Security Information and Event Management (SIEM) systems to produce the kind of security reports necessary for GDPR compliance. These enterprise network security information logs produce an auditable trail of permitted and denied access attempts from users and processes, delivering unprecedented insight into file access activities. These enterprise network security information logs can report unusual or improper data access and accelerate the detection of insider threats, hackers, and the presence of advanced persistent threats that defeat perimeter security.