The General Data Protection Regulation, or GDPR, replaces the Data Protection Directive (“Directive”), which has been in effect since 1995. The GDPR became law in April 2016, but organizations were given a two-year grace period to comply. The effective date for compliance is on May 25, 2018. The GDPR enables all EU nations to have a single set of rules that apply to all organizations that process personal data of EU citizens. The underlying idea is that every EU citizen has a fundamental right to privacy. To ensure compliance the GDPR employs two tiers of financial penalties; up to 2 percent of annual global revenue/10 million Euros for violations such as failing to notify a supervisory authority and affected parties about a data breach or for failing to appoint a Data Protection Officer (DPO) if one is needed; the penalty could increase up to 4 percent of annual revenue/20 million Euros for violations such as failing to honor data subject’s rights, failing to comply with an order of a supervisory authority or for failing to comply with requirements for international data transfers.
Most organizations today collect personal information of their customers, prospects or third parties in order to conduct their business more effectively. The data is generally stored in electronic format in a database server or a file server thereby making it easy to find by authorized users as well as by malicious actors. Forrester reports that in 2016 one billion records were compromised in just 12 months. However, in the first half of 2017, 918 data breaches were reported that led to 1.9 billion data records being compromised worldwide. This represents an increase of 164 percent compared to the first six months of 2016. Given the current climate, the GDPR is an attempt to curb this carnage by outlining how organizations are allowed to gather, use, maintain and finally destroy personal data of EU citizens. It requires organizations to implement appropriate technical and organizational measures to prevent the loss of or unauthorized use of personal data. Server General can help you put data security measures in place that could substantially decrease the potential data loss and can assist you in complying with two very specific provisions of the GDPR – namely articles 32 and 34.
“Data subject” – an individual domiciled in the EU.
“Personal data” – data that relates to a living individual who can be identified –
(a) from the data, or
(b) from the data and other information which is in the possession of, or is likely to come into the possession of, the data controller
“Controller” – an organization that either transmits, stores, or processes personal information of an EU citizen.
“Processor” – an organization that is involved in processing personal information of an EU citizen. A cloud service provider falls into this category.
Key Provisions of GDPR Related to Data Security:
[[From Article 32 of GDPR]] “The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks represented by the processing and the nature of the personal data to be protected, having regard to the state of the art and the costs of their implementation. The controller and the processor shall, following an evaluation of the risks, take the measures referred to in paragraph 1 to protect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorized disclosure, dissemination or access, or alteration of personal data.”
[[From Article 34 of GDPR]] In case of data breach appropriate authorities and data subjects must be informed “without undue delay” “when the breach is likely to result in a high risk to the rights and freedoms” of the data subject (i.e. the impacted party). However, the communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures shall render the data unintelligible to any person who is not authorized to access it.
What Constitutes a Data Breach?
- Accidental loss of data
- Loss of data due to a breach
- Malicious alteration of personal information
- Unauthorized access
- Unauthorized disclosure of information even without criminal intent
Server General TDE
Server General can help you secure data and comply with the GDPR Article 34 – Server General TDEtransparently encrypts personal information of an EU citizen stored in a database server like MySQL, MongoDB, PostgreSQL, CouchDB or within a file server. Role-based access controls are used to prevent unauthorized access to the sensitive data sets. The “root” user is not part of Server General’s trust model and is, therefore, is not granted access to the sensitive information. Server General TDE stores logging information outside of the administrative domain of the interested parties thereby making sure that recorded information can’t be altered to cover up malicious activity.
Server General can help you secure data and comply with the GDPR Article 34 – Server General TDE transparently encrypts personal information of an EU citizen stored in a database server like MySQL, MongoDB, PostgreSQL, CouchDB or within a file server. Role-based access controls are used to prevent unauthorized access to the sensitive data sets. The “root” user is not part of Server General’s trust model and is, therefore, is not granted access to the sensitive information. Server General TDE stores logging information outside of the administrative domain of the interested parties thereby making sure that recorded information can’t be altered to cover up malicious activity.
Server General TDE can help you comply with Article 32 and 34 of GDPR. Offered as Software as a Service (SaaS), Server General TDE is easy to set-up, maintain, manage and administer data-at-rest encryption of sensitive information stored within a database server or a file server deployed anywhere – public, private or a hybrid cloud.
The GDPR is the most comprehensive data privacy regulation. It requires that personal data be managed in a manner that helps ensure confidentiality – a task that must be accomplished with help of both technical and organizational security measures. Moreover, the GDPR has teeth – fines that can be quite damaging. Ensuring that your business is GDPR compliant can be a complex task, particularly in large or complex organizations, and may require a great deal of work or specific expertise.