In a world of intellectual property theft, data breaches, and other cybercrimes, businesses are under intense pressure to protect sensitive data. This has only been heightened by the EU’s introduction of General Data Protection Regulation (GDPR). Worryingly, a fifth of UK organisations don’t understand the impending regulatory requirements. We asked them about GDPR preparation and found that that 21 per cent have no understanding of the impending General Data Protection Regulation (GDPR) being introduced. A further 42 per cent in the UK have considered some aspects of the GDPR but not the pseudonymisation tools that the legislation recommends and approximately, one in five of those that have studied the pseudonymisation requirements admit that they are having trouble understanding it.
As a result, the panic is upon us and it is guaranteed that there is a senior executive losing sleep somewhere over the impending regulation. However, while the GDPR will force organisations to ensure compliance and reduce the risk of a data breach, it will also help them to usher in a new wave of IT innovation. In fact, as organisations look at how they store, manage and secure data as part of compliance demands, there is a real opportunity to think about how data can be better used.
So, what are the steps that businesses need to take to comply by 2018 and hone innovation?
A data first approach
While data masking provides organisations with a tool that fits key challenges emerging from the GDPR, businesses must apply it with a “data first” approach that involves greater awareness of how data changes and moves over time, and how to better control it. Specifically, businesses will be most effective in achieving pseudonymisation through masking if they address the following questions:
Where is your data?
Enterprises create many copies of their production data for software development, testing, backup, and reporting. This data can account for up to 90 per cent of all data stored and is often spread out across multiple repositories and sites. Businesses that understand where their data resides – including sensitive data located in sprawling non-production environments – will be better equipped to allocate protective measures.
How do you govern & deliver your data?
Although many large organisations now have Chief Data Officers there is confusion over who owns data protection, with the responsibility often being shared between compliance, risk, security or IT executives. Even those that do have them, may not have adequate control over how data is moved and manipulated. That’s because individual business units – each with their own administrators, IT architects, and developers – often define data-related processes at the project level, with little or no corporate policy enforced or even available. Businesses addressing the GDPR must take steps to regain data governance and introduce tools that drive greater visibility and standardisation into processes such as data masking. GDPR does recommend the appointement of a Chief Data Protection Officer, which will go some way towards providing a consistent view across an enterprise. However, without the right tools, it’s an overwhelming task.
Current approaches to delivering data are highly manual and resource-intensive, involving slow coordination across multiple teams. Adding pseudonymisation to already cumbersome data delivery processes only adds to this burden and enterprises often end up abandoning efforts to make technologies like data masking work. One way this is being solved is by combining data masking with new data delivery platforms. Using these, businesses can simplify and automate the management and delivery of data, placing data masking into that automated workflow to ensure that masking is repeatable and an integrated part of the delivery process.
What role does pseudonymisation play in GDPR compliance?
The GDPR contains an express legal definition of ‘pseudonymisation’, describing it as: “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, if such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person.”
Put more simply, the GDPR explains that pseudonymised data is data held in a format that does not directly identify a specific individual without the use of additional information, such as separately stored mapping tables.
For example, “User ABC12345” rather than “James Smith” – to identify “James Smith” from “User ABC12345”, there would need to be a mapping table that maps user IDs to usernames. Where any such matching information exists, it must be kept separately and subject to controls that prevent it from being combined with the pseudonymised data for identification purposes. Data masking and hashing are examples of pseudonymisation technologies.
How do you deliver pseudonymisation via data masking?
Data masking essentially means the ability to replace a company’s sensitive data with a non-sensitive, “masked” equivalent while maintaining the quality and consistency needed to ensure that the masked data is still valuable to operational analysts or software developers. Although vendors have provided this technology for some time, the GDPR, which becomes law in 2018, dramatically elevates its relevance and importance.
Data masking represents the de facto standard for achieving pseudonymisation, especially in so-called non-production data environments used for software development, testing, training, and analytics. By replacing sensitive data with fictitious yet realistic data, masking solutions neutralise data risk while preserving the value of the data for non-production use.
There is a falsely held view that encryption satisfies GDPR requirements. Encryption certainly is highly valuable for data that is in transit and complimentary to data masking. However, in order for the data to be processed it has to be decrypted – exposing sensitive data to anyone that can access it. The test website in the Kiddicare breach is a good example where real data was used. Subsequently, a breach occurred and the data was stolen.
A new wave of innovation
When tackling these issues, we can take one of two approaches, either wallow in the complexity of imminent legislation or ride on the wave of innovation. Take the millennium bug for example, that also forced companies to review their systems to a deadline. Yet, many used it as an opportunity to transform legacy applications, and the same can apply to GDPR. Especially when CEOs consider the potential cost of GDPR fines. A choice between 4 per cent of global turnover, or investing a fraction of that in modernising data platforms suddenly drives the speed of change. Yes, GDPR may mean new levels of compliance, but it will also provide the opportunity to excel in a data led economy.
The advantage is that compliance, however strict, will undoubtedly result in a more comprehensive approach to data. The new data-driven landscape will pave the way for data-led innovation which has the potential to make businesses more secure, robust and resilient, accelerate business initiatives and ultimately, birth new competitive strategies. Not only will the enterprise be able to make more sense of its data, by default, it will also be able to use those data insights to deliver more value.
Ultimately, we can’t shy away from the consequential shift around GDPR but we can view it as an opportunity to reconstruct and refine our businesses to be better aligned with the digital era. If we think of this as a positive advancement, look closely, and squint with one eye, there’s almost a light at the end of the tunnel.
By Iain Chidgey, general manager and vice president, EMEA at Delphix.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.