The EU General Data Protection Regulation (GDPR) – perhaps the most comprehensive data privacy standard ever introduced – has now been in force for almost six months. During this time, it has impacted every individual or business, large or small, that either ‘controls’ or ‘processes’ the data of EU citizens. Canadian data analytics firm, AggregateIQ, for example, became the first organisation to be served with a formal notice by the UK’s Information Commissioner’s Office (ICO) for processing citizens’ data for ‘purposes which they would not have expected’, and Facebook is facing a possible fine of up to $1.6bn for the recent data breach that may have affected the accounts of up to 50 million users.
The number of reported breaches, in particular, has quadrupled since the introduction of the GDPR, with the ICO’s reporting hotline now receiving around 500 calls a week. Although this doesn’t necessarily mean that the actual number of breaches has risen, it does signal a heightened awareness among businesses of their responsibility to promptly report any potential breaches.
According to Article 34 of the new regulation, however, if an organisation is breached but can demonstrate that ‘appropriate […] measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is unauthorised to access it, such as encryption’, it can avoid the requirement for reporting that breach.
With data breaches at an all-time high, it’s encouraging that 44 percent of businesses surveyed for the 2018 Thales Data Threat Report – European Edition cited encryption as the top tool for meeting new privacy requirements such as the GDPR, followed by tokenisation at 21 percent. More needs to be done, though, to comply with these new requirements, and minimise the need for breach reporting.
Investing in encryption
Critical to protecting data at rest, in motion and in use, encryption secures data to meet compliance requirements, best practices and privacy regulations. By way of illustration, in addition to Article 34’s requirements as outlined above, Article 32 of the GDPR requires organisations to ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk […] including the pseudonymisation and encryption of personal data’.
European businesses are now beginning to recognise its value, identifying encryption technologies – bring-your-own-key (BYOK), tokenisation, hardware security modules (HSMs), and enabling cloud-native encryption technologies – as four of the top five data security tools planned for implementation over the next 12 months.
Indeed, data-at-rest solutions were rated as the best means of protecting an organisation’s data, with almost three quarters of European businesses labelling them as ‘very’ or ‘extremely’ effective. Despite this, however, such tools were seen as the lowest priority for increases in IT security spending, behind endpoint and network defences, neither of which are wholly effective against attacks designed to compromise data.
According to Garrett Bekker, Principal Analyst, Information Security, at 451 Research, “Firms should consider greater use of encryption and BYOK, especially for cloud and other advanced technology environments to both address growing compliance mandates and also to move closer to industry best practices.”
Under pressure and overwhelmed
The introduction of the GDPR has put organisations under considerable pressure to minimise the risk to any personal data they hold and ensure that any breaches that do occur are promptly reported to regulators and affected parties if deemed necessary.
Given the extent of the new regulations, how firmly they are being enforced, and the potential penalties for non-compliance, it’s perhaps unsurprising that many organisations are currently a little overwhelmed. As we’ve seen, there is currently a risk of breaches being ‘over-reported’ and, according to a recent report, 70 percent of businesses across the world have been unable to fulfil requests from individuals for a copy of their personal information within the one-month time limit as set out under the regulations.
GDPR compliance is a massive undertaking, and knowing the tasks you must manage to achieve compliance is the first step. Indeed, abiding with GDPR regulations is quite multi-faceted but its stringent requirements can be met, particularly if companies harness encryption methods. By investing in encryption technology for data, whether at rest, in motion, or in the cloud, organisations everywhere will find themselves better equipped to meet the challenges of an ever-growing threat landscape, meet the requirements of the GDPR, and address the privacy concerns of every EU citizen whose data might traverse their network.
By Peter Carlisle, VP EMEA , Thales eSecurity
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.