And if so, are you doing it right? What are the best practices? Why use HSMs?
The key questions that companies need to ask themselves are:
The new EU GDPR, which comes into effect on May 25th 2018, defines the minimum standards for handling, securing and sharing personal data. The overall target of the GDPR directive is NOT to prevent the movement of data throughout or beyond the EU. On the contrary: the main target is to facilitate the movement of personal data, in a similar way to how the EU aims to facilitate the free movement of goods and persons. The GDPR also recommends the creation of standards, so that the exchange of data becomes easier. At the same time, however, it aims to protect an individual person’s right to own their personal data, to have it edited, removed and protected from abuse.
According to the GDPR “Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” (Article 4)
The main mechanism the GDPR recommends to employ is that of pseudonymization, i.e. to ensure that the personal data in question cannot be abused, because it cannot be attributed to the person it belongs to thanks to the use of encryption. So even if the data is stolen, it cannot be abused.
The GDPR defines clear responsibilities both for the data owner, (the so-called “controller”, who determines the purpose and means of the data processing), the processor (the one who processes on behalf of the controller) and the need for each data owning company to have a data protection officer (DPO), who is in charge within each controller and processor to monitor compliance and assess risk related to processing data.
Failure to comply with the requirements set by the GDPR to either install a data protection officer or to communicate a data breach appropriately and within the timeframe defined (72 hours), can result in fines of up to 20 million $US or 4% of the global annual revenue of a company.
We will keep you posted with news from Utimaco and the industries we protect, as well as information on upcoming events and webinars.