John Noltensmeyer | Head of Global Privacy and Compliance Solutions, TokenEx

In the last blog, we discussed the new GDPR standards, what they mean for organizations and individuals, and the ripple effect as other countries implement similar legislation. With so many governments beginning to take data protection more seriously, it’s important to understand the different resources available as we experience an ongoing cultural and technical shift in cybersecurity.

Both tokenization and Security-as-a-Service (SECaaS)providers are answering the call for robust, yet simplified, security and compliance.

Crash course in tokenization

As discussed in Part 1 of this blog series, there are a multitude of non-prescriptive obligations within the GDPR, including the strict requirements for data breach reporting and the implementation of appropriate technical controls to protect personal data. Tokenization plays a significant role in meeting these requirements and protecting sensitive datasets.

Tokenization can be used for the pseudonymization of data, meaning it replaces sensitive data with tokens. For example, instead of keeping an individual’s identification number, date of birth and address on-premise behind perimeter security devices like firewalls, all that personal data can be turned into a token and removed from your environment and securely vaulted in a tokenization provider’s cloud. With the right security controls in place, the information can be temporarily detokenized when the information is required for processing or is requested by the data subject. In the event an individual requests to be forgotten, one can simply delete the token on the tokenization provider’s system to comply with that request.

Another benefit of tokenization is that in the event of a data breach, an organization may not have to notify the affected individuals. If a threat actor infiltrates your environment, the only information they could exfiltrate is tokens rather than PII. In effect, no data breach has actually occurred.

Although this scenario has been specific to protecting personal data, tokenization spans a variety of industries. In fact, TokenEx–a company specializing in tokenization–developed their ground-breaking solution for the purpose of securing payment card information and later expanded beyond the payment card industry. Additionally, tokenization is often used within the healthcare field for de-identifying and sharing medical research across environments without compromising patient information.

SECaaS + Tokenization

Organizations affected by GDPR or those preparing for similar regulations in the not-so-distant future are leaning on providers such as Armor and TokenEx to help efficiently and effectively secure their environments while also meeting compliance standards. Moving away from stand-alone tools and managed detection and response (MDR) or managed security service providers (MSSPs), organizations are seeking flexibility, automation, orchestration, and visibility in their cloud environments.

SECaaS providers offer these security conveniences, taking the challenge out of complex environments. Similarly, tokenization helps reduce the challenges of managing your security posture by simply eliminating the risk of sensitive data being stolen from your environment.

Companies collect different types and amounts of data daily, but truly only need to access an individual’s personal information a handful of times throughout the year. Storing sensitive information on premise, even with the strongest security posture, still poses a risk of a data breach. Partnering with and using tokenization and SECaaS providers is a way to mitigate those risks and focus on maintaining and building your business.

So, how are SECaaS and tokenization providers addressing the primary tenants of the GDPR?

Geographical Scope – With the GDPR’s global scope, it begs the question not only of “Are you compliant?” but more importantly “Are you secure everywhere and from everyone?” Most organizations do not have the resources for true 24/7/365 global protection, detection, and incident response for the sensitive data they process. SECaaS providers can fill this gap in an organization’s defenses, while tokenization can diminish the risk in the event of a breach.

Penalties – An organization found to be willfully or intentionally in violation of the GDPR is subject to administrative penalties of 4% of annual turnover or €20 million–whichever is greater. Simple negligence of the data protection mechanisms in the GDPR can result in penalties of the greater of 2% of annual turnover or €10 million. By putting a specific financial penalty to paper for GDPR non-compliance, threat actors have essentially been provided a nice pricelist. Their ransomware ask is now a competitive “sale” against these GDPR penalties, which makes it increasingly important for companies to do their compliance due diligence now. Organizations simply focused on appeasing EU data protection authorities are overlooking the primary threat of a GDPR related fine.

Data Subject Rights Including Consent, Right of Access, and Right to be Forgotten – Under the GDPR, organizations are required to provide clear and concise explanations of how they intend to use an individual’s personal data, so that he or she can provide informed consent. Organizations are also obligated to provide the capability for an individual to request access to the data an organization is processing concerning him or her, as well as the nature of the processing. The individual must also be granted the capability to withdraw their consent for processing and request the organization delete his or her personal data. Having detailed data flows is essential to meet these data subject rights, as well as being able to properly protect the information. Tokenization can help address the right to be forgotten in particular, by enabling an organization to delete the token at their tokenization provider. This destroys the information associated with the token and prevents the organization from ever detokenizing or restoring the tokenized data. Consequently, any place that token is stored in an organization’s systems, including back-up files and disaster recovery sites, ceases to contain re-identifiable PII.

Breach Notification – As part of any breach notification process, business continuity and disaster recovery (BC/DR) must stay top of mind. Meeting the GDPR’s 72-hour notification requirement is only the start of the issue. Responding to and recovering from a data breach is where SECaaS can deliver. Similarly, if the personal data compromised in a breach has been de-identified using tokenization, an organization may not be obligated to notify the associated individuals.

Data Protection by Design – Article 25 of the GDPR obligates organizations to consider data protection by design and by default. Using a SECaaS and a tokenization provider are both ways in which a company can demonstrate their efforts to comply with the GDPR. Data minimization is also an important component of a data protection strategy-keeping only necessary data for the time required should be every company’s goal when handling PII and meeting both security and compliance standards.

Birds of a feather

Nearly 10 years ago, TokenEx combined cloud tokenization, encryption, data vaulting, and key management solutions to transform the security of payment card information. Realizing this same technology and security also could be applied to personal and healthcare information, the company quickly grew to become a global tokenization security leader.

TokenEx’s growth came with the increasing demands of properly securing its own cloud environment so that its customers could sleep easy at night. Thus, began TokenEx’s partnership with Armor–what makes more sense than two leading data protection companies joining forces for greater security? Since 2014, Armor has been securing TokenEx’s private cloud, providing improved performance along with unsurpassed security.

Today’s threats are no joking matter and companies are being faced with meeting stringent compliance obligations, like the GDPR, as well as industry standards such as the PCI Data Security Standard (PCI DSS). Being able to provide a complete security solution, including tokenization and SECaaS, enables customers of Armor and TokenEx to securely meet multiple compliance obligations and keep up with the ever-shifting cybersecurity and regulatory landscape.