Many of the critical requirements in the coming EU General Data Protection Regulations (GDPR) obligate significant operational changes for companies to come into compliance. Since guidance on these changes has been limited, it’s no surprise many privacy programs report a great deal of uncertainty about how to adapt their programs. As a result, progress has stalled at many organizations, placing them at great risk for reputation and financial losses.
The GDPR tenets are clear and straightforward regarding penalties, but less prescriptive when it comes to the implementation language. It focuses on the following desired outcomes: protect EU citizens’ personal data, empower citizens to pursue remedies, harmonize data privacy across Europe, and reshape the way organizations approach data privacy. If you are uncertain about how to translate those desired outcomes into compliant operational changes, you are not alone.
Despite the lack of specific technical guidance, compliance guidelines do exist. Under the law, organizations must protect EU subject data against unauthorized access, minimize access to personal data even by authorized users, and maintain ongoing accountability and control over that data.
Here at Ionic, we understand that GDPR compliance will require a complex interplay of people (training, organization), processes (manual and automated), and technology. Simply understanding the impacts will take time. However, we also believe that implementing technical controls should begin now. GDPR does not mandate encryption, but identifies it as a means to reduce fines, and avoid or limit breach notifications.
Persistent, data-centric encryption combined with dynamic access control and reporting is a great first step for companies looking to meet deadlines and start their GDPR journey. It provides immediate business value by way of risk reduction and demonstrates clear progress towards compliance.
Ionic Machina’s data-centric approach also minimizes reputation and financial risk. Specifically, GDPR Articles 33 and 34 exempt a company from issuing notifications to supervisory authorities or data breach subjects in the event of a data breach if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Encrypted data does not risk personal rights unless it can be decrypted. Therefore, a fail-closed model like Machina’s can avoid substantial costs related to breach notification and legal defense fallout from class actions, regulators, and much more.
Use of Machina may also reduce the financial risk imposed by fines, as outlined in GDPR Article 83: “When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following“: . . . “any action taken by the controller or processor to mitigate the damage suffered by data subjects.”
It’s important to note that any short-term solution must also support GDPR‘s overarching goals and long-term objectives. Machina’s data protection engine uniquely offers the breadth of capabilities, flexibility of deployment, and depth of features to satisfy the most demanding components of GDPR’s mandates – protecting data regardless of repository, device, or location.
We believe the real focus should be about the journey towards privacy and data protection as a way of doing business, especially for highly-regulated financial services firms that handle sensitive personal data, and Machina can play a big part in transforming your business processes.
We provide starter kits across the most common data usage vectors to get started with GDPR compliance.
Engage with us to find out how Ionic’s scalable and persistent encryption will enable your organization to protect not just data—belonging to you, your customers, your partners—but also your company’s reputation and bottom line.