The European General Data Protection Regulation (GDPR) came into force in May of 2018 and impacts global business interacting with EU citizens. With fines of up to the greater of €20M or 4% of global revenues it has the attention of most corporation doing business in Europe. Most organizations have initially focused on their obligations of identifying privacy data, deciding which privacy data they can retain, setting up opt-in tracking capabilities to retain non-deemed essential privacy data and the mandatory reporting requirements to responding to privacy data informational requests and erase requests. While all this is very necessary it does not address probably the most critical aspect of GDPR and where the true risk of enormous fines lay. How to stop privacy data beaches.
It is exactly this later requirement that DataDivider addresses. GDPR unlike PCI DSS is not a prescriptive standard. Thereby organizations have to determine their own security measures in order to meet the regulation. PCI DSS hold merchants harmless from their breach fines should the merchant have been deemed compliant of the prescriptive PCI DSS standard at the time of the cardholder breach. There is no such “get out of jail free card” with GDPR. However, a lot of lessons learned within PCI DSS can be applied to GDPR. No merchant to date has experienced an external party breach when PCI DSS compliant i.e. the prescriptive security standard works. Therefore we can extrapolate that should the prescriptive PCI DSS security controls be applied across privacy data that the likelihood of a GDPR breach will be extremely low.
The DataDivider suite of security solutions affords a business the opportunity of securing their privacy data to the same standards as PCI DSS. It does so at the minimal of cost and the lowest risk of potential breach. DataDivider’s ability of isolating privacy data at the point of capture and its ability to devalue this data prior to exposure to the business’s applications ensures the scope of GDPR privacy data is minimized. As all access to privacy data can be managed through DataDivider’s Secure Browser and that detokenization of privacy data can be managed within DataDivider’s Secure Cloud this furthermore ensures that application architectures remain out of GDPR privacy data scope.
Likewise all electronic communications of privacy data can be managed by the DataDivider Secure Cloud acting as a proxy between the business and the bonefide recipient of the privacy data. As all tokenization and detokenization takes place within the Secure Cloud and all presented information is managed within the Secure Browser this ensure business infrastructure is not exposed to privacy data. Where printed materials are required which include privacy data for external dissemination then rather than bringing internal networks back into scope third party secure printing partners can be utilized.