The General Data Protection Regulation (GDPR) compliance deadline of May 2018 is approaching quickly, and it impacts not only businesses that are located in the European Union, but organizations all over the world. Organizations that fall under its requirements are having to change the way they think about and handle the personal data they collect, store and process.
GDPR mandates are aimed at protecting the privacy of personal data, and specific responsibilities toward that end are laid squarely on the shoulders of both the data controllers (organizations that determine how personal data is processed) and the data processors (organizations that perform the processing of the data on behalf of the controller).
Locating and protecting data at rest is relatively easy, but data doesn’t stay still. It moves across the network, from controller to processor to third parties and back, even in and out of the country and the EU. Digital data can be copied and those copies can end up in unexpected places. GDPR compliance will require a strategy for dealing not just with stored data, but with data that’s always on the move.
With data moving around and changing format, just finding the personal data in order to apply protections can be a challenge. That’s where a good data identification and classification system comes in. The details of implementing data classification are beyond the scope of this article, but keep in mind that your data classification scheme lays the foundation on which protection of personal data is built.
Encryption is key
In Article 32, Security of Processing, the GDPR requires that both controller and processor “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” Then in subsection 1.(a), it specifically calls out encryption as one of those measures.
Encryption is a key element in protecting both data at rest and data in transit, but different encryption technologies are used, and it’s important to remember that not all encryption is created equal. Weak cryptographic algorithms, such as MD5 and SHA1, don’t offer the level of encryption needed to protect personal data. Some virtual private networking (VPN) protocols are more secure than others.
When symmetric password-based encryption is used, it is essential that the passwords be strong ones: the longer, the better; avoid dictionary words and numbers that are easily guessed; use strong password generators or random number generators.
Remember, too, that encryption itself only provides for confidentiality; it does not ensure authenticity or integrity. Encryption must be combined with strong authentication methods to effectively protect personal data.
Don’t rely on users to encrypt data. Technological solutions can apply encryption by default and enforce your encryption policies for data according to its classification. If you store or process personal data in the cloud, choose your cloud vendor carefully. Know what data security measures the cloud provider has in place by default, and what optional security measures you can select to enable. For example, Microsoft Azure allows you to encrypt the virtual disks on which your Windows or Linux VMs (virtual machines) run.
Key management is a crucial factor in the security of encrypted data. Use strong key management solutions to protect encryption keys. Hardware Security Modules provide added security for personal data when used to store the cryptographic keys because they are separate devices that act as protective vaults for your encryption keys so they aren’t exposed to the same risks as when they’re stored in the computer’s software.
Protecting personal data at rest
Organizations store many different types of personal data, collected from many different sources. Retail establishments and services operators maintain databases with contact and payment information from customers. Health care institutions keep detailed medical records pertaining to patients under their care. Companies of all types purchase and store lists of potential customers used in marketing and targeted sales, and their Human Resources departments keep on file personal information about their employees.
This data may be stored in a number of different formats – in database files, spreadsheets, word processing documents, PDFs, electronic forms, email, instant messages, and so forth. It may be stored in many different locations, including copies of the same data in backup files and archives, or carried over into summaries or reports, or saved to portable removable drives, or written to optical media. Personal data can also sometimes be found in log files, temp files, and other unexpected locations.
Data at rest is generally protected via access controls and encryption. Data stored on disk (including removable drives) can be encrypted via full-disk/full-volume encryption technologies or file-level encryption. Permissions can be set on files based on access control lists. Documents and spreadsheets can be password protected. Email can be encrypted with public key encryption or symmetric key encryption based programs or services.
It’s important to note that for purposes of the GDPR, all personal data must be protected, and that includes unstructured data as well as structured. It’s possible for personal data to reside in images or even videos, and these too must be protected. Structured data, such as that in a database, is easier to protect because it’s all in one place. Unstructured data may be spread across multiple file servers, kept on the hard drives of individual users, copied to thumb drives or SD cards, and so forth.
To protect personal data in general, but especially in regard to unstructured personal data, clear policies and adequate training of users in the handling of personal data are vital.
Protecting personal data in transit
In theory, it’s also fairly easy to protect data in transit. As with data at rest, encryption plays the major role. Personal data should be encrypted prior to sending it across the network, and encrypted connections should be used to protect the contents of the personal data while it is being transferred.
As with data at rest, some methods of encrypting data in transit are better than others. For example, SSL (Secure Socket Layer) is no longer considered adequately secure; it has been replaced by TLS (Transport Layer Security).
In addition to encrypting the data, you can protect it while in transit by implementing best network security practices. That means good firewalls, strong (preferably multi-factor) authentication to access the network, antimalware and regular system updating to prevent personal data from being exposed through malicious software and vulnerability exploits.
Use technological means to make encryption automatic when, for example, a user attaches a data file to an email message or copies it to a removable storage device. Use rights management to restrict what authorized users can do with the personal data files they work with; rights management can prevent them from forwarding email messages or copying or printing Word documents or Excel spreadsheets.
When personal data needs to be sent to or from a remote location, it can be protected by using a VPN to create a secure encrypted tunnel for it to move through. The protocols used to create the tunnel should be chosen carefully to ensure maximum protection of personal data. For example, PPTP provides only basic 128 bit encryption and has numerous documented vulnerabilities, whereas L2TP/IPsec provides 256 bit encryption and includes data integrity checks. OpenVPN uses an SSL/TLS tunnel and can use different algorithms to offer different levels of security. It is considered highly secure when a strong cipher is used.
Making personal data less personal: pseudonymization
In addition to specifying encryption as a means of protecting personal data, the GDPR also calls out the process of pseudonymization, which refers to the process of keeping data apart from personal identifiers, to decrease the risk of an individual’s privacy being violated if the data itself were exposed. When data has been pseudonymized, it can’t be linked to a specific identifiable person without the use of additional information that is kept in a separate location.
Pseudonymized data is still considered personal data under the GDPR and still must be protected, but the regulation offers incentives for using pseudonymization, and it can help organizations meet the GDPR security requirements. Read more about pseudonymization here.
If complying with the GDPR feels like trying to hit a moving target, that’s because personal data is, in fact, frequently moving – and that makes it more difficult to identify and protect. You can use a number of technologies, such as encryption and pseudonymization, to help keep data private whether it is at rest or in transit, but it’s essential that you know your options and choose carefully, work closely with your cloud provider, train users, and implement technological enforcements in order to meet your compliance goals.