As companies engage with customers and collect data, it’s important to respect and protect individual privacy. The members of the European Union (EU) are especially focused on ensuring data privacy, which is why they’ve developed the General Data Protection Regulation, or GDPR.
The GDPR was officially adopted in April of 2016, and is set to go into force in May of 2018. The regulation applies in any situation where an organization collects or processes data and the subject of the data is a citizen of the EU. That may not apply to every situation, but in our global, connected world it will certainly apply to a large percentage of organizations and interactions regardless of where the companies or individuals involved may live.
According to the European Commission – the body that developed the guidelines for the GDPR – personal data has a broad definition. It includes any information related to an individual – whether it pertains to their private, professional or public life. It includes data like name, home address, photos, email address, bank details, posts on social network platforms, medical information, or even a computer IP address. In a nutshell, individual privacy has a very broad scope under the GDPR.
A blog post from Vera explains, “While some of the tenets of the law are clear and straightforward (harmonize data privacy across Europe, protect and empower all EU citizens, and reshape the way organizations approach data privacy) there are a few areas where the language is vague and the technical challenges can be quite high.”
Like most regulations and compliance requirements, GDPR does not mandate specific solutions. The technology and threat landscapes evolve too quickly for prescriptive guidance. A more general description of the desired outcome allows for organizations to interpret and adapt solutions over time as the environment and attack techniques change.
The challenge organizations face is how to address things like requirements for personal information to be anonymized or encrypted, or the need to protect sensitive data from unauthorized access. Full compliance requires both encryption of data at rest and in transit, and also ensuring that private information covered under GDPR can only be accessed by authorized individuals.
GDPR requires that personal data be “protected by default” and that systems include “protection by design” These are somewhat vague directives. Vera delivers both by protecting content in applications as well as on devices for situations where services don’t comply. With Vera, you can protect data automatically, no matter what kind of data it is or where it goes.
May of 2018 is coming fast. If your organization will be affected by GDPR you’d better be thinking about the requirements and how you plan to address them. A data-centric security approach like Vera can encrypt data, provide dynamic access controls, and automatically provide relevant logs to ensure only authorized individuals have access to the data.