And if so, are you doing it right? What are the best practices? Why use HSMs?
The key questions that companies need to ask themselves are:
The new EU GDPR, which comes into effect on May 25th 2018, defines the minimum standards for handling, securing and sharing personal data. The overall target of the GDPR directive is NOT to prevent the movement of data throughout or beyond the EU. On the contrary: the main target is to facilitate the movement of personal data, in a similar way to how the EU aims to facilitate the free movement of goods and persons. The GDPR also recommends the creation of standards, so that the exchange of data becomes easier. At the same time, however, it aims to protect an individual person’s right to own their personal data, to have it edited, removed and protected from abuse.
According to the GDPR “Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” (Article 4)
GDPR require you to take a number of measures, ranging from defining a Data Protection Officer to using “state of the art” technology to protect personal data.
The main mechanism the GDPR recommends to employ is that of pseudonymization, i.e. to ensure that the personal data in question cannot be abused, because it cannot be attributed to the person it belongs to thanks to the use of encryption. So even if the data is stolen, it is unintelligible and thus cannot be abused.