GDPR Compliance Requirements

  1. This EU compliance regulation will have a far reaching impact for organizations throughout the world.
  2. With the demise of Safe Harbor, U.S. companies that export and handle the personal data of European citizens will also need to comply with the new requirements put forth or be subject to the same consequences.
  3. If your organization suffers a data breach, under the new EU compliance standard, the following may apply depending on the severity of the breach:
  • Your organization must notify the local data protection authority and potentially the owners of the breached records
  • Your organization could be fined up to 4% of global turnover or €20 million

However, GDPR does provide exceptions based on whether the appropriate security controls are deployed within the organizations. For example a breached organization that has rendered the data unintelligible through encryption to any person who is not authorized to access the data, is not mandated to notify the affected record owners.

The chances of being fined are also reduced if the organization is able to demonstrate a “ Secure Breach” has taken place.

To address the GDPR compliance requirements, organizations may need to employ one or more different encryption methods within both their on-premises and cloud infrastructure environments, including the following:

  • Servers, including via file, application, database, and full disk virtual machine encryption.
  • Storage, including through network-attached storage and storage area network encryption.
  • Media, through disk encryption.
  • Networks, for example through high-speed network encryption.

In addition, strong key management is required to not only protect the encrypted data, but to ensure the deletion of files and comply with a user’s right to be forgotten.

Organizations will also need a way to verify the legitimacy of user identities and transactions, and to prove compliance. It is critical that the security controls in place be demonstrable and auditable.

Gemalto offers the only complete data protection portfolio that works together to provide persistent protection and management of sensitive data, which can be mapped to the GDPR framework.

No single solution will make an organization GDPR compliant. The regulation is too broad – covering everything from governance to contractual obligations. However, Gemalto’s SafeNet portfolio of solutions can help organizations comply with the mandate’s data security obligations.

Security requirements are interspersed throughout the law’s text. They can be grouped along the following themes:

  1. Data Control: GDPR expects organizations to stay in control of their data to ensure that it is accessed and processed by authorized users only when appropriate. The control requirements are covered in Articles 5, 25, and 32.
    • Only process data for authorized purposes
    • Ensure data accuracy and integrity
    • Minimize subjects’ identity exposure
    • Implement data security measures
  2. Data Security: GDPR puts security at the service of privacy. Security obligations are covered in Articles 6, 25, 28, and 32. To preserve subjects’ privacy, organizations must implement:
    • Data protection by design and by default
    • Security as a contractual requirement with their partners and service providers
    • Encryption or pseudonymization
    • Security measures that respond to their risk assessment
    • Safeguards if they are to keep data for additional processing
  3. Right to Enasure: Even after data is collected, individuals still have a claim to, and a certain amount of control over, that data. ‘Right to Erasure’ is covered in Articles 17 and 28. GDPR requires organizations to completely erase data from all repositories when:
    • A data subject revokes their consent (‘Right to be forgotten’)
    • A partner organization requests data deletion
    • A service or agreement comes to an end
  4. Risk Mitigation and Due Deligence: Organizations must assess risks to privacy and security, and demonstrate they’re taking appropriate steps to keep privacy safe in light of their findings. These obligations are outlined in Articles 2, 24 and 28. To mitigate risks and perform due diligence, organizations must:
    • Conduct a full risk assessment
    • Implement measures to ensure and demonstrate compliance
    • Proactively help partners and customers comply
    • Demonstrate full data control
  5. Breach Notification: When a security breach threatens the rights and privacy of a data subject, organizations need to notify customers and their supervisory authority. Breach notification obligations are outlined in Articles 33 and 34. Under GDPR, organizations are obligated to:
    • Notify their supervisory authority within 72 hours
    • Describe the data breach’s consequences
    • Communicate the breach directly to data subjects