Preparing for General Data Protection Regulation (GDPR) – part III

08 May Preparing for General Data Protection Regulation (GDPR) – part III

Guest blogger Richard Hancock continues his series on GDPR preparation.

In my second blog on GDPR we mentioned two of the major mitigating preventative measures provisioned for within the GDPR – pseudonymising and encryption.  Today, we’re going to look at these in more detail.

Pseudonymising for GDPR

If you’ve been in the database business since the days of Borland Paradox, then you’re more than likely familiar with pseudonymisation practices, but for the rest of us I’ll just summarise what we mean.  This is where you take the most sensitive objects in your data set such as sex, race, religion and replace the field values with random codes.  In a separate location, a master matrix will map those random codes to the original data thus enabling those authorised to get at the raw information to be able to do so.  The vast majority of your staff who do not need to see these specific objects can still continue to work on the data set unhindered while those that need that data can also access it.

The GDPR specifically states that this methodology can be used to reduce your regulation burden since if you suffered a breach, then the attacker will only see meaningless binary or hex characters (if you’re smart and kept your mapping table on a different server).

So that is one good way of protecting your data, improving your business processes and lightening the GDPR load.  Now let’s look at another – data encryption.

Data Encryption for GDPR

If somebody wrote down your confidential information on a post-it note and left it in reception, you’d be quite upset, right?  This is exactly the same as storing plain text (unencrypted) data on your shared network drive, your finance database or your CRM.  GDPR now recognises that the failure to encrypt amounts to neglect, meaning you will have zero defence should you be compromised and unencrypted data is stolen.  It’s not just the obvious stuff though.  If you’ve gone ultra-modern and paperless with your filing, it is imperative that this data at rest is encrypted.  Do some homework before spending thousands on a document storage solution that doesn’t support encryption.  What a treasure chest for the hacker that would be!?!

A favourite target in a cyber heist is the finance database.  Hackers love bank details and credit card numbers that can be sold to the highest bidder or used to purchase goods.  The easy fix for that threat is to use encryption.  That way, the hacker could literally walk out of the building clutching the HDD in his hands and the information would be useless.  Encryption also eliminates the need for you to individually notify your subjects of any breach (though DPA notification is still required) since they will not have suffered loss as their data will be unreadable.

Of course, encryption solutions are only as good as their associated key management processes.  How good is a locked cupboard with the key housed in the lock itself or sitting on your desk?  The concept of decoupling the keys from the data which they unlock is absolutely crucial here.  The best practice for such an implementation is to store the decryption keys in hardware, preferably an HSM that meets FIPS 140-3 levels.  The benefit of such a FIPS 140-3 box is that it is tamper proof, meaning even if you were a victim of a physical breach, and your server was stolen along with your HSM holding your keys, your data is still safe.  You simply restore the data from the backup, restore your keys from your co-located redundancy system and you’re online again in the matter of hours.

Either of these methods put your organisation in a very strong position.  Used together and your regulation liabilities reduce significantly.

Richard Hancock is a guest contributor and is Data Protection Officer for GMO GlobalSign, a leading Certificate Authority and encryption solution provider. 

Read a brief intro how Ubisecure can help your company towards GDPR compliance, or check out the first of our configuration tips. Or contact us now to discuss your GDPR project and how building in consent management can help.