If you’re in the business of data, it’s time to start planning. The General Data Protection Regulation (GDPR) comes into effect in exactly two years, but it could take businesses that long to prepare to meet the compliance requirements of the new law. And if you don’t? The fines are heavy – up to 4% of global turnover for the previous year.
“Two years sounds like a long time, but businesses big and small need to get their house in order before it’s too late,” says Mark Lomas, a senior consultant at Capgemini, who stresses that it’s not just EU-based organisations that need to watch out. “Any business that gathers personal information regarding EU residents will be subject to the compliance rules, regardless of whether that business is in the EU or not.”
But exactly how can businesses ensure that personal data is anonymised, and therefore not usable by anyone other than the intended owner?
Significant IT investment
What’s certain is that achieving compliance with the GDPR is going to be expensive. “According to a survey my company conducted amongst 300 European IT professionals, nearly 70% said they’d need to invest in new technologies or services to help prepare the business for the impact of the GDPR,” says Michael Hack, SVP of EMEA operations at Ipswitch. “Those technologies were encryption tools (62%), analytics and reporting (61%), perimeter security (53%) and file sharing solutions (42%).”
Keeping data in the EU
One consequence of the GDPR could be a surge in the popularity of cloud server hosting in Europe. “Companies are increasingly looking at technical solutions such as ensuring that data is not transferred to the US, but instead kept on servers in the EU, or anonymising personal data prior to any transfer,” says Kolvin Stone, global co-chair, cybersecurity and data privacy at law firm Orrick. However, cloud hosting providers in the US may not be aware of the upcoming change in European law governing stored data, so check before uploading.
Anonymising personal data
Anonymising data is key – once that’s done, the restrictions essentially evaporate. “Technology already exists to anonymise personal data, and legal permissions and exceptions exist under EU and UK law allowing for anonymised data to be used with only limited restrictions,” says David Hall, Senior Associate, Mills & Reeve. However, while permanently anonymised data then falls out of the scope of the GDPR, there is one major drawback.
“This kind of data has limited value, and is likely to be useless for many purposes,” says Nicky Stewart, Commercial Director at Skyscape Cloud Services. “If it is possible to de-anonymise the data, it is likely to come back into the scope of the law,” she says, adding that this complex area will only be made more so by the GDPR. “The scope of what comprises personal data becomes very much wider than today,” she adds. That brings to the fore another technique: pseudo-anonymisation.
If the GDPR prevents organisations sharing complete data ‘appropriately’, don’t worry; there’s a tech for that, too. “There are technologies that will pseudo-anonymise information in a reversible manner, such as when the information leaves the organisation, names and other identifying pieces of information are translated to something meaningless,” says Guy Bunker, a Senior Vice President at cybersecurity specialist Clearswift.
He explains that ‘Mr Smith’ can be replaced by ‘Person A’, which is then processed by third parties and, when returned, can be re-translated to the original personal data. “This works in some cases, however, when the third-party data processor needs access to the actual information, it obviously won’t work,” he says.
A cloud access security broker (CASB) can be used to enforce security policies each time the cloud-based data is accessed, from authentication and credential mapping to device profiling and the next tech we’ll discuss – encryption.