If you went to any security conference, tradeshow, or read any industry journals in 2018 you would've found yourself bombarded by lots of information about GDPR - almost to the point of information overload and advertising saturation! The intent is to address shortcomings in the data-driven economy by ensuring that security and privacy are truly baked in and not reluctant afterthoughts in IT. At comforte, our SecurDPS Enterprise solution is clearly designed to address several key elements of GDPR but the onslaught of marketing and messaging around GDPR has made some lose track of where to start and others desensitized into complacency.
The General Data Protection Regulation (GDPR) replaced the 1995 Data Protection Directive 95/46/EC and sets the bar high for data privacy with stiff financial penalties for indifference or non-compliance. While simpler "Band-Aid" solutions were quick to present (finding yourself accepting a privacy disclosure every time you visit a website these days?), true changes are often slow to emerge and ambiguities in GDPR continue to persist in slowing down enforcement. However, at some point the threat of enforcement will become reality and the EU will slowly sharpen its message and provide clarity to those in need of a reckoning. And for those in the US, the fate of the EU-US Privacy Shield framework will likely alter the flow of information even further.
Clarifying the fog that continues to surround GDPR, one thing is absolutely certain: GDPR is focused on protecting personal information of data subjects residing within the EU, wherever their data may exist or reside and whomever it is shared with. At its core, under GDPR de-identifying personal information is a necessity in order to maintain privacy (referred to as anonymization or pseudo-anonymization). The catch is that if we need to collect data, we also need to be able to use it – instead of just making it secure but impossible to use. The key to that is to use tokenization to “de-toxify” datasets to ensure that personal data is kept safe using a data-centric security approach. Not only does this offer compliance but it more importantly offers true security – which is what the true spirit of GDPR is. Furthermore, it allows us to use our data in its protected form without sacrificing its analytic value.
Tokenization, a technology comforte battle-tested with the Payment Card Industry (PCI) compliance push of the early 2000s, has anonymization built into it. At its core, you’re taking a completely random value and substituting it for the actual value, which not only protects the actual value, it also anonymizes it. But, the details are all in the implementation. comforte’s SecurDPS Enterprise stateless tokenization has high availability and failover designed in at its core. Furthermore, comforte tokenization is format preserving – meaning the tokens look and feel just like the actual data, allowing you to tokenize PII data at acquisition and then use the tokens downstream in databases, applications, and even reports – without breaking business processes due to the built-in referential integrity. Whether you tokenize via transparent means or by direct API or web service means, the tokenization protects your data while you use it, store it, or move it. Oh, and you get GDPR compliance while you do it, even better! The tokenization that comforte offers, which conforms to the ANSI X9 standard, is secure and works on all text data types and, unlike encryption, you don’t have to worry about managing or leaking encryption keys or if the next advance in quantum computing will make that “impossible” brute force attack possible.
A centralized data protection approach should include the use of data-centric security. The GDPR covers lots of areas and will likely evolve, but tokenizing data with comforte’s SecurDPS Enterprise is something that will not only enable compliance (GDPR Articles 6.4.e, 25.1, and 32.1 amongst others) but the actual security to avert breaches and maintain your brand reputation and customer trust. They key is to implement a framework such as comforte that can allow you to protect any sensitive data while scaling at the needs of your business. GDPR is a long overdue directive that is the beginning, not the end, of how we need to take seriously the implications and value of the data that we acquire. Protecting that valuable asset makes good business sense in any light.