In May 2018, the European Union (EU) enacted the General Data Protection Regulation (GDPR), a sweeping overhaul of the EU’s data privacy laws that reshaped the way organizations across the region and globe approach data privacy. In two previous blogs—The Aftershock of GDPR, Part 1 and Tokenization + Security-as-a-Service, Part 2—we provided an overview of the regulatory framework and a description of how tokenization and security-as-a-service (SECaaS) can help organizations meet the new requirements.
As we approach the one-year anniversary of GDPR’s establishment, we’re reflecting on how it has affected global businesses and their customers, the challenges it has posed, and key takeaways for organizations seeking to thrive under the new regulations.
A European law with global reach
One of the most significant impacts of the new privacy law is its global reach. GDPR applies not only to European companies, but to any organization storing European residents’ data. As such, it has altered privacy expectations for nearly all global and multinational companies.
That contributes to the complexity of GDPR compliance: companies with customers around the world must not only meet its requirements but harmonize compliance with regulatory regimes, including PCI DSS, HIPAA HITRUST, and other national and international privacy laws. The goal is a unified framework that ensures compliance with all requirements.
During a recent webinar on this topic, Armor conducted a poll of participants to gauge the global reach of companies represented. We found that of those companies, 82% have global customers vs. just 5% who only obtain data for U.S. residents, while 13% noted they are not sure where their customers reside.
A struggle to meet new compliance requirements
Despite the complexity—and many others—not all organizations devote resources to this kind of holistic compliance effort. We found that 30% have a full department dedicated to GDPR compliance and another 35% have dedicated personnel to assist in-house counsel with compliance. Approximately 35% said they’ve only done the minimum to comply and hope they won’t have to do more. With everyone scattered across the board, there lies the problem within the transition.
The cost of compliance can be substantial. There have already been more than 59,000 data breaches under GDPR, costing companies $114 billion in 2018 and an estimated $125 billion in 2019. Furthermore, 91 companies have been fined for failing to comply with GDPR, including well-known and respected companies like Facebook, Equifax, Google, and Uber. These fines show that no one is too small or too big to come under fire and that regulators are taking the privacy of its citizens seriously.
Organizations know it’s in their best interests to comply, but a variety of obstacles hold them back. Our poll determined that some of the greatest challenges companies face in creating a security-focused organization include security skill shortages (50%), lack of leadership buy-in (38%), stubborn end-user adoption (25%), difficulty finding the right partners (21%), and cost (46%). With significant fines, and no exemptions, it begs the question, “Can your business afford and survive a security breach?”
Adapting to a new definition of personal data
One key element of GDPR expands the definition of personal data to include not just standard contact information like name, address, phone number, and email, but evolving categories like biometric data, IP addresses, and geo-location. Organizations seeking compliance need to either reduce the amount of personally identifiable data that can be breached or implement appropriate technical and organizational measures that will ensure the protection of personally identifiable data. With the expansion of the definition of PII, and considering the number of devices owned and used on a daily basis by an individual or within a single household, this can be a very daunting task. By pseudonymizing and anonymizing data, they can reduce their risk and that of their customers and other stakeholders.
Several sections in the GDPR concern pseudonymization, including:
Article 6: Lawfulness of processing
If you are a data controller who has a valid reason—other than consent from the data subject—for the processing of his or her personal data “for a purpose other than that for which the personal data have been collected,” Article 6(4)(e) obligates you to use “appropriate safeguards, which may include encryption or pseudonymization.”
Article 17: Right to erasure
Article 17 allows a data subject to request that a controller deletes his or her personal data in its entirety. Under Article 12(2), pseudonymization of data may provide some relief regarding Article 17 compliance.
Article 25: Data protection by design and default
The GDPR requires “data protection by design and by default.” Article 25(1) specifically obligates controllers to “…implement appropriate technical and organizational measures, such as pseudonymization.”
Article 32: Security of processing
Article 32(1) obligates controllers as well as processors to “implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk,” including pseudonymization of personal data.
Article 33: Notification of a personal data breach to a supervisory authority
The GDPR specifies new requirements for notification in the event of a breach of personal data. Under Article 33(1), a controller is required to notify supervisory authorities of a breach within 72 hours unless “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.”
Article 34: Communication of a personal data breach to the data subject
Similarly, Article 34(1) stipulates that data subjects must be notified “when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons…”
As discussed in our previous blog, tokenization can help organizations meet these new requirements for protecting personal data. Tokenization is the process of replacing sensitive data with non-sensitive data known as tokens. It also can be used for the pseudonymization of data, making it an effective security and compliance measure that’s especially valuable for meeting GDPR requirements and protecting sensitive data sets.
SECaaS can streamline and augment the benefits of tokenization, giving organizations flexibility, automation, orchestration, and visibility in managing data privacy risks within a cloud-based environment.
Key takeaways for 2019
We’ve learned a great deal in the first year of GDPR implementation, but the situation is still evolving. As we embark on the framework’s second year, here are some key takeaways for global organizations striving to comply.
- GDPR is not going away. More and stricter variations are likely in the years to come.
- Consent and access are KEY. The law is applicable where the consumer resides, not where business is conducted.
- Regulations will get more complicated. If you can get a handle on GDPR, other country and state laws that follow will be easier to grasp and understand.
- Organizations need a data-centric strategy that will protect consumers’ data.
- Multiple departments, including legal and compliance, will need to work together to implement regulations across organizations.
- Starting sooner rather than later on documentation and pseudonymization is the key to business survival.
- The stakes are high. Sixty percent of small businesses fail within 6 months of a breach. Even survivors require significant monetary investments in brand reputation.
- The combination of pseudonymization and data security is a long-term solution among increasing regulations.
- The best approach is a top-down strategy that integrates risk management and cybersecurity into the business strategic plan. Ensure all business leaders, decision makers, and IT teams are reaching toward the same goal.
Keeping up with an evolving regulatory environment
Today’s threats are real, and stringent compliance obligations, such as GDPR and PCI DSS, penalize organizations for not protecting themselves. By combining tokenization and SECaaS for a complete security solution, customers of Armor and TokenEx can safely meet multiple compliance obligations and keep up with the ever-shifting cybersecurity and regulatory landscapes.
For more information on how TokenEx and Armor can help you meet GDPR standards, download the “GDPR and the Future of Privacy” ebook here.