SlideShare a Scribd company logo

delphix-wp-gdpr-for-data-masking

Jes Breslaw, profile picture
Jes Breslaw

The document discusses the GDPR requirements for data masking and pseudonymization. It provides context on the GDPR and how it aims to update privacy laws for a modern, digital world. The GDPR introduces legal definitions for pseudonymization, which refers to approaches like data masking that secure personal data in a way that indirect identities are still protected. It highlights how data masking technologies can help companies comply with the GDPR while maintaining data quality for analysis. Companies that fail to implement appropriate measures like pseudonymization could face fines up to 4% of global turnover under the GDPR.

1 of 13
Downloaded 25 times
1
2
3
4
5
6
7
8
9
10
11
12
13
What IT Needs to Know and Do GDPR REQUIREMENTS FOR DATA MASKING White Paper
© 2016 Delphix Corp. All rights reserved.Page 2 | The GDPR’s Support for Pseudonymisation INTRODUCTION In a world of intellectual property theft, data breaches, and other cybercrimes, businesses are under intense pressure to protect sensitive data. In response to concerns from consumers, governments are creating regulations that require businesses to take appropriate care when handling personal data. This has created opportunities for businesses to take advantage of technology solutions that help them meet the challenges presented by these new regulatory measures. One of these technologies is data masking—the ability to replace sensitive data with a non-sensitive equivalent while maintaining the quality and consistency needed to ensure that masked data is still valuable to operational analysts or software developers. Although this technology has existed for some time, the General Data Protection Regulation (GDPR) which becomes law in 2018, dramatically elevates its relevance and importance. The GDPR sets strict limits on businesses that collect, use, and share data from European citizens. Companies— EU-based or otherwise—face new requirements that compel them to rethink their approaches to customer privacy and implement new protections. In fact, a new term ‘pseudonymisation’ has been introduced to add legal definition around protecting personal data. Pseudonymisation is an umbrella term for approaches like data masking that aim to secure confidential information that directly or indirectly reveals an individual’s identity. The GDPR punishes businesses that fail to leverage appropriate protection measures – such as pseudonymisation technologies—as a part of their overall security posture. The fine for non-compliance can be harsh: as much as 4% of global turnover, enough to jeopardize ongoing European operations for any business selling in the EU. This paper examines the forthcoming changes to the GDPR, identifying the key requirements businesses need to understand, and delineating what must be done to satisfy them. It then goes on to highlight how recent innovations in data masking can ensure regulatory compliance while also eliminating complexity that stands in the way of business agility. AUTHORS Phil Lee is a Partner in the Privacy, Security and Information Group at Fieldfisher, and runs its US Office in Silicon Valley, California. He holds CIPP(E) and CIPM status, and is a member of the IAPP’s Privacy Faculty. Phil has particular specialisms in behavioural profiling and cookie regulation, e-marketing, and international data transfer strategies (including binding corporate rules). He has worked on numerous multi-jurisdictional data privacy projects across more than 80 countries. In addition to privacy and information law, Phil regularly advises on a wide variety of technology, social media, and e-commerce projects. Who’s Who Legal has said that Phil “ranks among the finest practitioners”​on data privacy and online regulation. Jes Breslaw is currently EMEA Director of Strategy Delphix. He has held senior european roles for 19 years in technology suppliers and integrators. Jes began his career product managing IBM hardware, and then spent eight years working with security solutions including CheckPoint Software and Cisco. Prior to joining Delphix Jes has worked in companies that provide secure mobile solutions, first Workshare and then Accellion.
© 2016 Delphix Corp. All rights reserved.Page 3 | The GDPR’s Support for Pseudonymisation A CHANGING LANDSCAPE: EUROPE’S NEW DATA PRIVACY LAWS In December 2015, the European Union reached a deal on wide-ranging new rules that will significantly impact all businesses—whether in the EU or beyond—that collect, use, and share personal information about European citizens. The deal reached was the culmination of years and years of hard work by European politicians and legislators, and resulted in the European Commission, Parliament, and Council of the EU agreeing on the text of Europe’s new “General Data Protection Regulation,” the successor legislation to Europe’s aging “Data Protection Directive”. But why should you care? To explain that, it’s necessary first to take a step back and consider how technology and law have evolved over the past 20 years. The story begins in 1995, when Europe adopted its current Data Protection Directive (Directive 95/46/EC, or the “Directive”)—the law that sets the rules throughout Europe governing how businesses may collect, use, and share individuals’ personal information. The current Directive dates from a time when few households owned computers (by way of anecdote, statistics from the US Census Bureau suggest that only around 30% US households had a computer in 19951 ), and almost no one had Internet access; a time when there was no social media, no online banking, and no cloud computing. It’s that same Directive, though, which continues to regulate the always-on, hyper-connected, Big Data world in which Europeans now live. So technology moved on, but the law had not. Recognizing the need for European data protection laws to keep pace with new technologies, in early 2012 the European Commission decided to publish proposals for a new data protection law—the “General Data Protection Regulation” (“GDPR”). The proposals were controversial, and heavily critiqued by all possible data stakeholders—national governments, global businesses, civil liberties organizations, the press, and others—each arguing from its own perspective that the proposals were either too prescriptive or too lax, too strict or not strict enough. Reaching consensus was not easy. Over nearly the next four years, the GDPR became one of the most heavily debated legislative proposals in the European Union ever, attracting more than 3,000 amendments during its legislative passage. Yet, despite these difficulties, all parties finally agreed to the text of the GDPR in December 2015, and the GDPR is expected to be adopted into European law in Q2 2016 (with full implementation planned for 2018). Among its controversial new requirements are provisions that the GDPR will apply to any business worldwide that offers goods and services to, or monitors the behaviour of, European citizens, and that businesses in breach of the GDPR can face stiff fines of up to 4% of annual worldwide turnover. With such significant business risks, data protection has grabbed press headlines and board-level attention like never before. Businesses everywhere are assessing their current data protection practices to ready themselves for when the new law takes effect in 2018. Against this backdrop of changing laws and evolving risks, this paper explores how “pseudonymisation” technologies, such as Delphix’s data masking technology, can help businesses prepare for these changes and mitigate risk under the new law. 1) http://www.census.gov/hhes/computer/
© 2016 Delphix Corp. All rights reserved.Page 4 | The GDPR’s Support for Pseudonymisation PSEUDONYMISATION AND THE GDPR WHAT IS PSEUDONYMISATION? European data protection laws protect “personal data”; data which is not “personal” is not subject to European data protection rules and can be used and shared freely by businesses. In the current law, “personal data” has a broad definition, and applies to any “information relating to an identified or identifiable natural person”, including where a person “can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.2 The reference to “direct or indirect” identification has long been a point of consternation for businesses. “Direct” identification clearly captures information that ‘obviously’ reveals a person’s identity, such as their name and contact details. But what about “indirect” identification? The position of European data protection authorities has been that data seemingly ‘anonymised’ (obfuscated) by removing individuals’ directly identifying details may still be personal data if the resultant dataset enables an individual to be “indirectly” identified.3 This may be the case, for example, where a business poorly obfuscates its data and only removes customer names from its databases, but still holds other detail about their account activity (such as which services they use, payment records, and IP address information about the devices from which they access their online account), then the collection of that data may still be sufficient to enable the individual to be “indirectly” identified with relatively minimal effort. To deal with this, the act makes a distinction. Data that is truly annonymised, (for example aggregated, annonymised statistics where you cannot pull out any individual recognised record) is exempted from data protection. However data that is hidden but has the potential to reveal identities such as the example above is classified as pseudonimsed. Under the current law, ‘pseudonymised data’ is not defined but is essentially treated identically to any other form of directly identifying personal data - meaning even where a business has taken steps to scrub its data by using data masking or hashing technologies in the interests of privacy compliance, the scrubbed dataset may still be subject to the full weight of compliance regulation under the Directive. The current law therefore has the unfortunate consequence that even businesses that try to be ‘good actors’ by correctly implementing data scrubbing techniques, such as masking or hashing, see no regulatory upside from their good behaviour – in turn, disincentivising many businesses from expending the budget and effort necessary to implement these technologies, notwithstanding their clear benefit to data security. By contrast, the GDPR recognises the need to promote ‘pseudonymisation’ and includes several provisions designed to do just that. 2) Art 2(a) Directive 3) See “Opinion 05/2014 on Anonymisation Techniques” by the EU Article
© 2016 Delphix Corp. All rights reserved.Page 5 | The GDPR’s Support for Pseudonymisation HOW DOES PSEUDONYMISATION HELP BUSINESSES TO COMPLY WITH THE GDPR? Unlike the Directive, the new GDPR contains an express legal definition of ‘pseudonymisation’, describing it as: “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person”4 Put more simply, the GDPR explains that pseudonymised data is data held in a format that does not directly identify a specific individual without the use of additional information such as separately stored mapping tables. For example, “User ABC12345” rather than “James Smith” – to identify “James Smith” from “User ABC12345”, there would need to be a mapping table that maps user IDs to user names). Where any such matching information exists, it must be kept separately and subject to controls that prevent if from being combined with the pseudonymised data for identification purposes. Data masking and hashing are examples of pseudonymisation technologies.5 Like the Directive, the GDPR still considers pseudonymised data to be personal data, with the consequence that European data protection rules will still govern the use and protection of pseudonymised data. Critically, though – and in very marked contrast to the Directive – the GDPR incentivises companies to pseudonymise their datasets at several different points. These are described below. PSEUDONYMISATION AS A SECURITY MEASURE Article 30 of the GDPR sets out the security requirements that businesses are expected to satisfy. It requires that businesses must implement “appropriate” technical and organisational measures to secure personal data, taking account of the risk presented to individuals if the security of that data were to be breached. In this regard, the GDPR expressly says that businesses should consider implementing “as appropriate … the pseudonymisation and encryption of personal data.” While the law stops short of telling businesses they must implement pseudonymisation, the express reference to pseudonymisation in the security provisions of the GDPR is highly significant – indicating that, in the event of a security breach, regulators will take into consideration whether or not a business had implemented pseudonymisation technologies. Businesses that have not may therefore find themselves more exposed to regulatory action. To reinforce this point, the introductory language to the GDPR says that businesses should consider “pseudonymising personal data as soon as possible” in order to satisfy requirements of data protection by design and by default.6 Put simply, the GDPR sees pseudonymisation as an important tool for achieving compliance with its requirements. PSEUDONYMISATION TO REDUCE DATA BREACH REPORTING BURDENS Related to the above point, the GDPR introduces new mandatory data breach reporting rules. Businesses that suffer a data security incident will potentially find themselves compelled to notify their enterprise customers, their regulators and the individuals whose data have been compromised. Current data protection law contains no such requirements, outside of specific regulated sectors (e.g. such as breach reporting rules for telcos and ISPs). 4) Article 4(3)(b) GDPR 5) Ibid. 3 at page 20. 6) Recital 61 GDPR
© 2016 Delphix Corp. All rights reserved.Page 6 | The GDPR’s Support for Pseudonymisation Any business that has experienced a data breach will know that, quite apart from the cost of re-securing the compromised data, data breaches attract very significant financial, reputational and resource costs. In the United States, which has had a long standing data breach reporting regime, the Federal Trade Commission has imposed significant penalties for data security incidents, and businesses that have suffered a breach typically find themselves vilified both in the press and in class action law suits.7 The concern for many businesses, then, is whether the introduction of data breach reporting rules in the EU may result in the same types of harm suffered by businesses across the Atlantic in the US. In terms of the specific rules it introduces, the GDPR sets an expectation that businesses must notify data protection authorities within 72 hours upon becoming aware of a breach – a very short timescale for any material data security incident – and must inform the individuals affected without “undue delay.”8 However, the GDPR says that businesses do not need to notify data protection authorities if the can “demonstrate … that the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals”. On a similar note, it also says that businesses only need to inform affected individuals if the breach is likely to result in a “high risk” to their privacy – and that notification is not required if the business “has implemented appropriate technical and organisational protection measures … that render the data unintelligible to any person who is not authorised to access it”.9 In short, if a data breach presents low risk to the individuals concerned, the GDPR’s breach notification requirements become more relaxed. Pseudonymisation, whether through masking, hashing or encryption, offers a clear means to reduce the risks to individuals arising from a data breach (e.g. by reducing the likelihood of identity fraud and other forms of data misuse), and is supported by the GDPR as a security measure as already described above. In consequence of this, businesses that have effectively pseudonymised their data may therefore benefit from exemptions from notifying regulatory authorities and the individuals affected in the event they suffer a data breach. Given the ever-increasing occurrence, and cost, of data breaches,10 this is a highly significant incentive for businesses to pseudonymise their datasets. PSEUDONYMISATION TO REDUCE DATA DISCLOSURE BURDENS One of the greatest compliance challenges under the current Directive concerns the “right of access”, which allows individuals to ask a business to provide them with a copy of any personal information processed about them.11 The business has to comply with this request within a very short timescale (typically just 40 days), and in that time has to undertake extensive – and costly – efforts to search its systems to identify any personal information relating to that e-mail, remove any third party personal information from materials identified for disclosure (for example, references to third parties in e-mails), consult with legal counsel to review the material to be disclosed for compliance and risk management purposes, and then deliver up the information to the individual. Data access requests are very commonly made in the context of litigious claims, by individuals seeking to get wider access to information than they would ordinarily be entitled to under normal litigation disclosure rules. 7) See, for example, http://www.wired.com/2015/08/court-says-ftc-can-slap-companies-getting-hacked/. 8) Arts 31 and 32 GDPR 9) Arts 31(1), 32(1) and 32(3)(a) GDPR 10) See PWC’s “Global State of Information Security Survey 2015” at http://www.pwc.com/us/en/press-releases/2014/global-state-of-information-security-survey-2015.html 11) Art 12 Directive
© 2016 Delphix Corp. All rights reserved.Page 7 | The GDPR’s Support for Pseudonymisation Individuals will continue to have a right of access to data under the GDPR. However, consistent with its approach to pseudonymisation on data breach issues, the GDPR appears to relax disclosure requirements in response to a data access request where data has been pseudonymised. It says that where the business can “demonstrate that it is not in a position to identify the data subject … Articles 15 to 18 [i.e. the right to access]12 do not apply except where the data subject, for the purpose of exercising his or her rights under these articles, provides additional information enabling his or her identification.” This means that a business may not be obligated to include data that has effectively been pseudonymised when responding to data access requests from an individual. This is a particularly important benefit for large consumer-facing businesses who may face lots of subject access requests from their customers at any given point in time.13 PSEUDONYMISATION TO HELP PROFILING ACTIVITIES A further key development in the GDPR is that the new law introduces a specific concept of “profiling”, defining it as “any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.14 The GDPR goes on to say that businesses should not make “decisions” about an individual if those decisions are solely based on automated processing, including profiling, unless one of certain specific legal criteria are met – typically requiring the individual’s “explicit consent”.15 The rule only applies, however, if the profiling produces “legal effects” concerning the individual or “similarly significantly affects him or her”. The GDPR specifically mentions refusal of online credit applications and e-recruitment of two such examples of automated decision-making.16 One big question, though, is whether online profiling for the purposes of data analytics or targeted advertising are caught by this rule? While the GDPR does not provide absolute clarity on this point, data profiling where an individual’s direct identifying information has been removed through pseudonymisation will significantly reduce any privacy impact on the individual, particularly when keeping in mind the GDPR’s overarching support of pseudonymisation. In view of this, online data analytics or targeted advertising practices based on pseudonymised data seem very unlikely to produce “legal effects” or “significantly affect” individuals – and, as a result, are unlikely to be subject to the explicit consent requirements for automated decision-making mandated by the GDPR. 12) Strictly speaking, the right of access is set out in Article 15. Articles 16 to 18 concern other data subject rights, such as the right to rectification, the right to erasure, the right to restriction of processing and the right to data portability. Pseudonymised data may therefore reduce business obligations in respect of these rights too. 13) See, for example, this ZDNet news item “Reddit users overwhelm Facebook with data requests” at http://www.zdnet.com/article/reddit-users-overwhelm-facebook-with-data-re- quests/ 14) Art 4(3aa) GDPR 15) Arts 20(1) and 20(1a) GDPR 16) Recital 58 GDPR
© 2016 Delphix Corp. All rights reserved.Page 8 | The GDPR’s Support for Pseudonymisation THE RISKS OF NON-COMPLIANCE WITH THE GDPR When it comes into effect, the GDPR will introduce severe penalties for businesses that are non-compliant.17 The GDPR creates a two-tier fining regime, indicating that certain breaches of the GDPR can attract fines of up to the greater of EUR10,000,000 or 2% of annual worldwide turnover (i.e. top line revenue) while other, more serious, breaches can attract total fines of up to the greater of EUR20,000,000 or 4% of annual worldwide turnover. In assessing what fines to impose, data protection authorities may take account of “the technical and organisational measures” implemented by businesses18 – and use of pseudonymisation technologies will undoubtedly be an important consideration here. Aside from the risk of fines, the GDPR also grants data protection authorities additional powers, including mandatory audit rights,19 and gives individuals the ability to bring legal claims (or have legal claims brought on their behalf by civil liberties organisations or similar) against non-compliant businesses. The GDPR can therefore be thought of as introducing both a ‘carrot’ and a ‘stick’ approach to encouraging businesses to pseudonymise their data – a ‘carrot’ by virtue of expressly recommending pseudonymisation at specific points in the GDPR and reducing certain obligations on businesses that pseudonymise their data; and a ‘stick’ by threatening significant penalties for businesses that are non-compliant. PSEUDONYMISATION AND DATA MASKING TECHNOLOGY Data masking represents the de facto standard for achieving pseudonymisation, especially in so-called non- production data environments used for software development, testing, training, and analytics. By replacing sensitive data with fictitious yet realistic data, masking solutions neutralize data risk while preserving the value of the data for non-production use. Alternative approaches such as encryption fail across key dimensions. Chief among these is its vulnerability to identity breach, insider threats, or other scenarios in which actors obtain decryption keys: anyone with the right decryption keys can walk past encryption defences and gain access to sensitive data. In contrast, data masking irreversibly transforms sensitive data to eliminate risk from insider and outsider threats alike. PSEUDONYMISATION REQUIRES A DATA FIRST APPROACH While data masking provides organizations with a tool that fits key challenges emerging from the GDPR, businesses must apply it with a “data first” approach that involves greater awareness of how data changes and moves over time, and how to better control it. Specifically, businesses will be most effective in achieving pseudonymisation through masking if they address the following questions: WHERE IS YOUR DATA? Enterprises create many copies of their production environment for software development, testing, backup, and reporting. These environments can account for up to 90% of all data stored and are often spread out across 17) Art 79 GDPR 18) Art 79(2a)(e) GDPR 19) Art 53 GDPR
© 2016 Delphix Corp. All rights reserved.Page 9 | The GDPR’s Support for Pseudonymisation multiple repositories and sites. Businesses that understand where their data resides—including sensitive data located in sprawling non-production environments—will be better equipped to allocate protective measures. HOW DO YOU GOVERN YOUR DATA? Very few organisations have a Chief Data Officer or Head of Data Protection. Even those that do may not have adequate control over how data is moved and manipulated because individual business units—each with their own administrators, IT architects, and developers—often define data-related processes at the project level, with little or no corporate policy enforced or even available. Businesses addressing the GDPR must take steps to regain data governance and introduce tools that drive greater visibility and standardization into processes such as data masking. HOW DO YOU DELIVER DATA? Many existing approaches to delivering data are highly manual and resource-intensive, involving slow coordination across multiple teams. Adding pseudonymisation to already cumbersome data delivery processes only adds to this burden and enterprises often end up abandoning efforts to make technologies like data masking work. To effectively implement a technology like data masking, businesses need to not only streamline data delivery, but also ensure that masking is a repeatable and integrated part of the delivery process. THE GDPR: A FORCE FOR POSITIVE CHANGE For many organizations, the GDPR clearly creates an imperative to evaluate and update how they store, manage, and secure data. And critically, the new regulation will also usher in a wave of IT innovation with the potential to not only ensure compliance and reduce the risk of data breach, but also to accelerate critical business initiatives. DATA MASKING USING VIRTUAL DATA For example, innovations that combine virtual data and data masking simplify the process of not only masking data, but also delivering masked data. Such solutions create and deliver lightweight virtual data copies in a fraction of the time and storage space consumed by regular physical copies. Virtual copies are stored, managed, and delivered from a single point of control to maximize data governance. Moreover, data masking can be designed into the data delivery process such that virtual copies are automatically masked. The overall effect is that masked data is created and delivered much faster, facilitating the GDPR compliance and accelerating processes that depend on secure data. Chief among these processes are software development, testing, and analytics projects that—now more than ever—determine how businesses compete and succeed, no matter the industry. Data masking technologies have been around a long time. So why do so many companies fail or simply choose not to use them? The reason is that traditionally they’ve been highly manual, complex pieces of work. Dedicated individuals or teams carry them out and each application must be worked on independently, forcing organisations to prioritise which datasets to mask and which to leave unprotected. In the most recent Bloor Data Masking report, it gives the example of Oracle’s data masking, which “requires the use of the Oracle database (as well as a lot of IT skills)”. The problem with data masking isn’t the masking rules, but the delivery of the masked data. In fact the Bloor report goes on to discuss how some of the standalone methods have become commoditised,
© 2016 Delphix Corp. All rights reserved.Page 10 | The GDPR’s Support for Pseudonymisation “..many of the solutions on offer will be selected as much for the complementary capabilities that are offered as for the product’s pure masking capabilities”. Gartner’s December 2015 report, Magic Quadrant for Data Masking Technology, Worldwide provides an example of how data masking paired with Delphix Data Virtualization brings added benefit: “Combining [data masking] with data virtualization saves time and storage; data is masked only once in the virtualized (shared) data and in any changed data, while retaining storage space savings. Data virtualization technology can also save time by keeping copies of the masked data and serving them by request.” So what is Delphix and how does it take a Data First approach to transform a process that’s traditionally slow, siloed, painful, and expensive into something automated, centralised, fast, and efficient? A recent survey Delphix sponsored showed that 90% of non-production data in the enterprise is not masked. The reason is that copying the data from production to non-production can take weeks, even months. Masking that data can add further weeks, and then the data has to be refreshed numerous times in projects, which starts the process all over again. Delphix collects production data and then remains in sync with production forever, creating a near-live copy of the production data. Using this copy, Delphix creates complete and current ‘virtual’ copies of the data via self-service in minutes. You retain full control over all your production data. And because you’re working with only a single real copy as opposed to hundreds, you’ve dramatically reduced the surface layer of attack. You also now have full knowledge of where any virtual copies reside and who can access them, giving that much needed control and governance. Dev/Test & QA NON-PROD NETWORKPRODUCTION NETWORK OFFSITE PUBLIC/HYBRID CLOUD DATA WAREHOUSE DATA RISK INCREASING UAT Operational Data Store AS DATA MOVES INTO NON-PRODUCTION OR LESS SECURE NETWORKS—ESPECIALLY OFF SITE TO THIRD PARTIES OR INTO PUBLIC AND HYBRID CLOUDS—THE DATA CHANGES CONSTANTLY AND THE SURFACE AREA OF RISK INCREASES.
© 2016 Delphix Corp. All rights reserved.Page 11 | The GDPR’s Support for Pseudonymisation At the same time, a data masking policy can be set up beforehand, so whenever virtual copies are requested, the data is masked instantly. Data masking simply becomes part of the automated data delivery process. This allows data protection to be embedded within the entire life cycle of the technology, from the very early design stage, right through to its ultimate deployment, use and final disposal. PRODUCTION NETWORK SYNCS DIRECTLY VIRTUALIZE UNMASKED DATA MASKED DATA TO DELPHIX Masked Once OR •• Delphix links directly to production •• Data provisioned from Delphix can be masked or left clear •• Different data are deployed per use case/user role
© 2016 Delphix Corp. All rights reserved.Page 12 | The GDPR’s Support for Pseudonymisation SUMMARY The EU GDPR strongly incentivises the pseudonymisation of all personal data. To address this, businesses need greater visibility and control over their data,, coupled with tools that not only mask data, but also streamline and automate that process. Such an approach can help businesses: • Take steps to protect personal data, in accordance with the GDPR requirements. • Avoid the need to report data breach incidents. • Provide tools that enable their legal teams to identify, audit, and report on data. • Reduce or eliminate the requirement to obtain consent for data profiling. • Accelerate IT and business processes that depend on access to secure data. ABOUT DELPHIX Data is the fuel for application projects, and Delphix transforms the way that organizations manage data for their application projects. Delphix Masking seamlessly integrates virtual data with data masking to help customers: • Mask sensitive data faster than ever before. • Deliver secure data in minutes instead of days or weeks. • Ensure compliance with regulations including the GDPR. For more information on how Delphix can help you meet the GDPR requirements, visit delphix.com/solutions/data-masking
Page 13 | The GDPR’s Support for Pseudonymisation GDPR Requirements for Data Masking: What IT Needs to Know and Do March 2016 For more information, visit www.delphix.com The Delphix Website also provides the latest product updates. If you have comments about this documentation, submit your feedback to: help@delphix.com Delphix Corp. 275 Middlefield Road, Suite 210 Menlo Park, CA 94025 © 2016 Delphix Corp. All rights reserved. The Delphix logo and design are registered trademarks of Delphix Corp. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

More Related Content

PDF
GDPR: the legal aspects. By Matthias of theJurists Europe.
Matthias Dobbelaere-Welvaert
 
PDF
GDPR, what you need to know and how to prepare for it e book
Plr-Printables
 
PPTX
GDPR Is Coming – Are Emailers Ready?
MediaPost
 
PPTX
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 
PPTX
Impact of GDPR on the pre dominant business model for digital economies
EquiGov Institute
 
PDF
Companies, digital transformation and information privacy: the next steps
The Economist Media Businesses
 
PPTX
How to get started with being GDPR compliant
Siddharth Ram Dinesh
 
PDF
GDPR: how IT works
Morris Dorfer
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
Matthias Dobbelaere-Welvaert
 
GDPR, what you need to know and how to prepare for it e book
Plr-Printables
 
GDPR Is Coming – Are Emailers Ready?
MediaPost
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 
Impact of GDPR on the pre dominant business model for digital economies
EquiGov Institute
 
Companies, digital transformation and information privacy: the next steps
The Economist Media Businesses
 
How to get started with being GDPR compliant
Siddharth Ram Dinesh
 
GDPR: how IT works
Morris Dorfer
 

What's hot (20)

PDF
Cognizant business consulting the impacts of gdpr
audrey miguel
 
PDF
Gdpr in a nutshell
Matthew Butler
 
PDF
Research on Legal Protection of Data Rights of E Commerce Platform Operators
YogeshIJTSRD
 
PDF
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
Cédric Laurant
 
PDF
Deloitte the case for disruptive technology in the legal profession 2017
Ian Beckett
 
PDF
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
John Nas
 
PPTX
GDPR and evolving international privacy regulations
Ulf Mattsson
 
PPTX
Practical Guide to GDPR 2017
Dryden Geary
 
PPTX
How to Protect Your Data
Neopost Mailing Solutions, Digital Communications and Shipping Services
 
PDF
Digital Transformation Summit: theJurists Europe case
Matthias Dobbelaere-Welvaert
 
PPTX
Draft data protection regn 2012
lilianedwards
 
PPT
GDPR FAQ'S
Morgan McKinley
 
PDF
Cybersecurity and Data Privacy
WilmerHale
 
PPTX
Legal issues in technology
EzraGray1
 
PPTX
Be aware of the laws in South Africa that apply to email
Lance Michalson
 
PDF
CMR - GDPR - general introduction for marketeers
The CMR Agency
 
PDF
Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake Morgan
 
PDF
INFOMAGAZINE 8 by REAL security
Samo Zavašnik
 
PPTX
Data Protection in India
Home
 
PDF
GDPR A Practical Guide with Varonis
Angad Dayal
 
Cognizant business consulting the impacts of gdpr
audrey miguel
 
Gdpr in a nutshell
Matthew Butler
 
Research on Legal Protection of Data Rights of E Commerce Platform Operators
YogeshIJTSRD
 
"Data Breaches & the Upcoming Data Protection Legal Framework: What’s the Buz...
Cédric Laurant
 
Deloitte the case for disruptive technology in the legal profession 2017
Ian Beckett
 
Cloud4eu - WhitePaper - OnChallengeofAcceptanceofCloudSolutionsinEUPublicSect...
John Nas
 
GDPR and evolving international privacy regulations
Ulf Mattsson
 
Practical Guide to GDPR 2017
Dryden Geary
 
How to Protect Your Data
Neopost Mailing Solutions, Digital Communications and Shipping Services
 
Digital Transformation Summit: theJurists Europe case
Matthias Dobbelaere-Welvaert
 
Draft data protection regn 2012
lilianedwards
 
GDPR FAQ'S
Morgan McKinley
 
Cybersecurity and Data Privacy
WilmerHale
 
Legal issues in technology
EzraGray1
 
Be aware of the laws in South Africa that apply to email
Lance Michalson
 
CMR - GDPR - general introduction for marketeers
The CMR Agency
 
Blake lapthorn In House Lawyer forum - 11 Sept 2012
Blake Morgan
 
INFOMAGAZINE 8 by REAL security
Samo Zavašnik
 
Data Protection in India
Home
 
GDPR A Practical Guide with Varonis
Angad Dayal
 
Ad

Similar to delphix-wp-gdpr-for-data-masking (20)

PDF
GDPR- Get the facts and prepare your business
Mark Baker
 
PDF
GDPR - A practical guide
Angad Dayal
 
PDF
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 
PDF
Introduction to EU General Data Protection Regulation: Planning, Implementat...
Financial Poise
 
PDF
UX & GDPR - Building Customer Trust with your Digital Experiences
Stephen Denning
 
PDF
UX & GDPR - Building Customer Trust with your Digital Experiences
User Vision
 
PDF
The Essential Guide to GDPR
Tim Hyman LLB
 
PDF
The Essential Guide to GDPR
Tim Hyman LLB
 
PDF
Guide to-the-general-data-protection-regulation
N N
 
PPTX
Gdpr presentation
Sudarsan Reddy
 
PDF
GDPR - The new era of data protection
Interlogica
 
PPTX
General data protection regulation
Fahad Ameen
 
PDF
GDPR Demystified
SPIN Chennai
 
PPTX
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
PDF
GDPR - a view for the non experts
Claudio Bolla, CISM
 
PPTX
Introduction to GDPR
Priyab Satoshi
 
PPT
The Countdown is on: Key Things to Know About the GDPR
Case IQ
 
PDF
[REPORT PREVIEW] GDPR Beyond May 25, 2018
Altimeter, a Prophet Company
 
PDF
GDPR for developers
Exove
 
PDF
The Countdown to the GDPR Regulations
Elliot Reeman
 
GDPR- Get the facts and prepare your business
Mark Baker
 
GDPR - A practical guide
Angad Dayal
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
Financial Poise
 
Introduction to EU General Data Protection Regulation: Planning, Implementat...
Financial Poise
 
UX & GDPR - Building Customer Trust with your Digital Experiences
Stephen Denning
 
UX & GDPR - Building Customer Trust with your Digital Experiences
User Vision
 
The Essential Guide to GDPR
Tim Hyman LLB
 
The Essential Guide to GDPR
Tim Hyman LLB
 
Guide to-the-general-data-protection-regulation
N N
 
Gdpr presentation
Sudarsan Reddy
 
GDPR - The new era of data protection
Interlogica
 
General data protection regulation
Fahad Ameen
 
GDPR Demystified
SPIN Chennai
 
General Data Protection Regulation (GDPR)
Extentia Information Technology
 
GDPR - a view for the non experts
Claudio Bolla, CISM
 
Introduction to GDPR
Priyab Satoshi
 
The Countdown is on: Key Things to Know About the GDPR
Case IQ
 
[REPORT PREVIEW] GDPR Beyond May 25, 2018
Altimeter, a Prophet Company
 
GDPR for developers
Exove
 
The Countdown to the GDPR Regulations
Elliot Reeman
 
Ad

delphix-wp-gdpr-for-data-masking

  • 1. What IT Needs to Know and Do GDPR REQUIREMENTS FOR DATA MASKING White Paper
  • 2. © 2016 Delphix Corp. All rights reserved.Page 2 | The GDPR’s Support for Pseudonymisation INTRODUCTION In a world of intellectual property theft, data breaches, and other cybercrimes, businesses are under intense pressure to protect sensitive data. In response to concerns from consumers, governments are creating regulations that require businesses to take appropriate care when handling personal data. This has created opportunities for businesses to take advantage of technology solutions that help them meet the challenges presented by these new regulatory measures. One of these technologies is data masking—the ability to replace sensitive data with a non-sensitive equivalent while maintaining the quality and consistency needed to ensure that masked data is still valuable to operational analysts or software developers. Although this technology has existed for some time, the General Data Protection Regulation (GDPR) which becomes law in 2018, dramatically elevates its relevance and importance. The GDPR sets strict limits on businesses that collect, use, and share data from European citizens. Companies— EU-based or otherwise—face new requirements that compel them to rethink their approaches to customer privacy and implement new protections. In fact, a new term ‘pseudonymisation’ has been introduced to add legal definition around protecting personal data. Pseudonymisation is an umbrella term for approaches like data masking that aim to secure confidential information that directly or indirectly reveals an individual’s identity. The GDPR punishes businesses that fail to leverage appropriate protection measures – such as pseudonymisation technologies—as a part of their overall security posture. The fine for non-compliance can be harsh: as much as 4% of global turnover, enough to jeopardize ongoing European operations for any business selling in the EU. This paper examines the forthcoming changes to the GDPR, identifying the key requirements businesses need to understand, and delineating what must be done to satisfy them. It then goes on to highlight how recent innovations in data masking can ensure regulatory compliance while also eliminating complexity that stands in the way of business agility. AUTHORS Phil Lee is a Partner in the Privacy, Security and Information Group at Fieldfisher, and runs its US Office in Silicon Valley, California. He holds CIPP(E) and CIPM status, and is a member of the IAPP’s Privacy Faculty. Phil has particular specialisms in behavioural profiling and cookie regulation, e-marketing, and international data transfer strategies (including binding corporate rules). He has worked on numerous multi-jurisdictional data privacy projects across more than 80 countries. In addition to privacy and information law, Phil regularly advises on a wide variety of technology, social media, and e-commerce projects. Who’s Who Legal has said that Phil “ranks among the finest practitioners”​on data privacy and online regulation. Jes Breslaw is currently EMEA Director of Strategy Delphix. He has held senior european roles for 19 years in technology suppliers and integrators. Jes began his career product managing IBM hardware, and then spent eight years working with security solutions including CheckPoint Software and Cisco. Prior to joining Delphix Jes has worked in companies that provide secure mobile solutions, first Workshare and then Accellion.
  • 3. © 2016 Delphix Corp. All rights reserved.Page 3 | The GDPR’s Support for Pseudonymisation A CHANGING LANDSCAPE: EUROPE’S NEW DATA PRIVACY LAWS In December 2015, the European Union reached a deal on wide-ranging new rules that will significantly impact all businesses—whether in the EU or beyond—that collect, use, and share personal information about European citizens. The deal reached was the culmination of years and years of hard work by European politicians and legislators, and resulted in the European Commission, Parliament, and Council of the EU agreeing on the text of Europe’s new “General Data Protection Regulation,” the successor legislation to Europe’s aging “Data Protection Directive”. But why should you care? To explain that, it’s necessary first to take a step back and consider how technology and law have evolved over the past 20 years. The story begins in 1995, when Europe adopted its current Data Protection Directive (Directive 95/46/EC, or the “Directive”)—the law that sets the rules throughout Europe governing how businesses may collect, use, and share individuals’ personal information. The current Directive dates from a time when few households owned computers (by way of anecdote, statistics from the US Census Bureau suggest that only around 30% US households had a computer in 19951 ), and almost no one had Internet access; a time when there was no social media, no online banking, and no cloud computing. It’s that same Directive, though, which continues to regulate the always-on, hyper-connected, Big Data world in which Europeans now live. So technology moved on, but the law had not. Recognizing the need for European data protection laws to keep pace with new technologies, in early 2012 the European Commission decided to publish proposals for a new data protection law—the “General Data Protection Regulation” (“GDPR”). The proposals were controversial, and heavily critiqued by all possible data stakeholders—national governments, global businesses, civil liberties organizations, the press, and others—each arguing from its own perspective that the proposals were either too prescriptive or too lax, too strict or not strict enough. Reaching consensus was not easy. Over nearly the next four years, the GDPR became one of the most heavily debated legislative proposals in the European Union ever, attracting more than 3,000 amendments during its legislative passage. Yet, despite these difficulties, all parties finally agreed to the text of the GDPR in December 2015, and the GDPR is expected to be adopted into European law in Q2 2016 (with full implementation planned for 2018). Among its controversial new requirements are provisions that the GDPR will apply to any business worldwide that offers goods and services to, or monitors the behaviour of, European citizens, and that businesses in breach of the GDPR can face stiff fines of up to 4% of annual worldwide turnover. With such significant business risks, data protection has grabbed press headlines and board-level attention like never before. Businesses everywhere are assessing their current data protection practices to ready themselves for when the new law takes effect in 2018. Against this backdrop of changing laws and evolving risks, this paper explores how “pseudonymisation” technologies, such as Delphix’s data masking technology, can help businesses prepare for these changes and mitigate risk under the new law. 1) http://www.census.gov/hhes/computer/
  • 4. © 2016 Delphix Corp. All rights reserved.Page 4 | The GDPR’s Support for Pseudonymisation PSEUDONYMISATION AND THE GDPR WHAT IS PSEUDONYMISATION? European data protection laws protect “personal data”; data which is not “personal” is not subject to European data protection rules and can be used and shared freely by businesses. In the current law, “personal data” has a broad definition, and applies to any “information relating to an identified or identifiable natural person”, including where a person “can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.2 The reference to “direct or indirect” identification has long been a point of consternation for businesses. “Direct” identification clearly captures information that ‘obviously’ reveals a person’s identity, such as their name and contact details. But what about “indirect” identification? The position of European data protection authorities has been that data seemingly ‘anonymised’ (obfuscated) by removing individuals’ directly identifying details may still be personal data if the resultant dataset enables an individual to be “indirectly” identified.3 This may be the case, for example, where a business poorly obfuscates its data and only removes customer names from its databases, but still holds other detail about their account activity (such as which services they use, payment records, and IP address information about the devices from which they access their online account), then the collection of that data may still be sufficient to enable the individual to be “indirectly” identified with relatively minimal effort. To deal with this, the act makes a distinction. Data that is truly annonymised, (for example aggregated, annonymised statistics where you cannot pull out any individual recognised record) is exempted from data protection. However data that is hidden but has the potential to reveal identities such as the example above is classified as pseudonimsed. Under the current law, ‘pseudonymised data’ is not defined but is essentially treated identically to any other form of directly identifying personal data - meaning even where a business has taken steps to scrub its data by using data masking or hashing technologies in the interests of privacy compliance, the scrubbed dataset may still be subject to the full weight of compliance regulation under the Directive. The current law therefore has the unfortunate consequence that even businesses that try to be ‘good actors’ by correctly implementing data scrubbing techniques, such as masking or hashing, see no regulatory upside from their good behaviour – in turn, disincentivising many businesses from expending the budget and effort necessary to implement these technologies, notwithstanding their clear benefit to data security. By contrast, the GDPR recognises the need to promote ‘pseudonymisation’ and includes several provisions designed to do just that. 2) Art 2(a) Directive 3) See “Opinion 05/2014 on Anonymisation Techniques” by the EU Article
  • 5. © 2016 Delphix Corp. All rights reserved.Page 5 | The GDPR’s Support for Pseudonymisation HOW DOES PSEUDONYMISATION HELP BUSINESSES TO COMPLY WITH THE GDPR? Unlike the Directive, the new GDPR contains an express legal definition of ‘pseudonymisation’, describing it as: “the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person”4 Put more simply, the GDPR explains that pseudonymised data is data held in a format that does not directly identify a specific individual without the use of additional information such as separately stored mapping tables. For example, “User ABC12345” rather than “James Smith” – to identify “James Smith” from “User ABC12345”, there would need to be a mapping table that maps user IDs to user names). Where any such matching information exists, it must be kept separately and subject to controls that prevent if from being combined with the pseudonymised data for identification purposes. Data masking and hashing are examples of pseudonymisation technologies.5 Like the Directive, the GDPR still considers pseudonymised data to be personal data, with the consequence that European data protection rules will still govern the use and protection of pseudonymised data. Critically, though – and in very marked contrast to the Directive – the GDPR incentivises companies to pseudonymise their datasets at several different points. These are described below. PSEUDONYMISATION AS A SECURITY MEASURE Article 30 of the GDPR sets out the security requirements that businesses are expected to satisfy. It requires that businesses must implement “appropriate” technical and organisational measures to secure personal data, taking account of the risk presented to individuals if the security of that data were to be breached. In this regard, the GDPR expressly says that businesses should consider implementing “as appropriate … the pseudonymisation and encryption of personal data.” While the law stops short of telling businesses they must implement pseudonymisation, the express reference to pseudonymisation in the security provisions of the GDPR is highly significant – indicating that, in the event of a security breach, regulators will take into consideration whether or not a business had implemented pseudonymisation technologies. Businesses that have not may therefore find themselves more exposed to regulatory action. To reinforce this point, the introductory language to the GDPR says that businesses should consider “pseudonymising personal data as soon as possible” in order to satisfy requirements of data protection by design and by default.6 Put simply, the GDPR sees pseudonymisation as an important tool for achieving compliance with its requirements. PSEUDONYMISATION TO REDUCE DATA BREACH REPORTING BURDENS Related to the above point, the GDPR introduces new mandatory data breach reporting rules. Businesses that suffer a data security incident will potentially find themselves compelled to notify their enterprise customers, their regulators and the individuals whose data have been compromised. Current data protection law contains no such requirements, outside of specific regulated sectors (e.g. such as breach reporting rules for telcos and ISPs). 4) Article 4(3)(b) GDPR 5) Ibid. 3 at page 20. 6) Recital 61 GDPR
  • 6. © 2016 Delphix Corp. All rights reserved.Page 6 | The GDPR’s Support for Pseudonymisation Any business that has experienced a data breach will know that, quite apart from the cost of re-securing the compromised data, data breaches attract very significant financial, reputational and resource costs. In the United States, which has had a long standing data breach reporting regime, the Federal Trade Commission has imposed significant penalties for data security incidents, and businesses that have suffered a breach typically find themselves vilified both in the press and in class action law suits.7 The concern for many businesses, then, is whether the introduction of data breach reporting rules in the EU may result in the same types of harm suffered by businesses across the Atlantic in the US. In terms of the specific rules it introduces, the GDPR sets an expectation that businesses must notify data protection authorities within 72 hours upon becoming aware of a breach – a very short timescale for any material data security incident – and must inform the individuals affected without “undue delay.”8 However, the GDPR says that businesses do not need to notify data protection authorities if the can “demonstrate … that the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals”. On a similar note, it also says that businesses only need to inform affected individuals if the breach is likely to result in a “high risk” to their privacy – and that notification is not required if the business “has implemented appropriate technical and organisational protection measures … that render the data unintelligible to any person who is not authorised to access it”.9 In short, if a data breach presents low risk to the individuals concerned, the GDPR’s breach notification requirements become more relaxed. Pseudonymisation, whether through masking, hashing or encryption, offers a clear means to reduce the risks to individuals arising from a data breach (e.g. by reducing the likelihood of identity fraud and other forms of data misuse), and is supported by the GDPR as a security measure as already described above. In consequence of this, businesses that have effectively pseudonymised their data may therefore benefit from exemptions from notifying regulatory authorities and the individuals affected in the event they suffer a data breach. Given the ever-increasing occurrence, and cost, of data breaches,10 this is a highly significant incentive for businesses to pseudonymise their datasets. PSEUDONYMISATION TO REDUCE DATA DISCLOSURE BURDENS One of the greatest compliance challenges under the current Directive concerns the “right of access”, which allows individuals to ask a business to provide them with a copy of any personal information processed about them.11 The business has to comply with this request within a very short timescale (typically just 40 days), and in that time has to undertake extensive – and costly – efforts to search its systems to identify any personal information relating to that e-mail, remove any third party personal information from materials identified for disclosure (for example, references to third parties in e-mails), consult with legal counsel to review the material to be disclosed for compliance and risk management purposes, and then deliver up the information to the individual. Data access requests are very commonly made in the context of litigious claims, by individuals seeking to get wider access to information than they would ordinarily be entitled to under normal litigation disclosure rules. 7) See, for example, http://www.wired.com/2015/08/court-says-ftc-can-slap-companies-getting-hacked/. 8) Arts 31 and 32 GDPR 9) Arts 31(1), 32(1) and 32(3)(a) GDPR 10) See PWC’s “Global State of Information Security Survey 2015” at http://www.pwc.com/us/en/press-releases/2014/global-state-of-information-security-survey-2015.html 11) Art 12 Directive
  • 7. © 2016 Delphix Corp. All rights reserved.Page 7 | The GDPR’s Support for Pseudonymisation Individuals will continue to have a right of access to data under the GDPR. However, consistent with its approach to pseudonymisation on data breach issues, the GDPR appears to relax disclosure requirements in response to a data access request where data has been pseudonymised. It says that where the business can “demonstrate that it is not in a position to identify the data subject … Articles 15 to 18 [i.e. the right to access]12 do not apply except where the data subject, for the purpose of exercising his or her rights under these articles, provides additional information enabling his or her identification.” This means that a business may not be obligated to include data that has effectively been pseudonymised when responding to data access requests from an individual. This is a particularly important benefit for large consumer-facing businesses who may face lots of subject access requests from their customers at any given point in time.13 PSEUDONYMISATION TO HELP PROFILING ACTIVITIES A further key development in the GDPR is that the new law introduces a specific concept of “profiling”, defining it as “any form of automated processing of personal data consisting of using those data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.14 The GDPR goes on to say that businesses should not make “decisions” about an individual if those decisions are solely based on automated processing, including profiling, unless one of certain specific legal criteria are met – typically requiring the individual’s “explicit consent”.15 The rule only applies, however, if the profiling produces “legal effects” concerning the individual or “similarly significantly affects him or her”. The GDPR specifically mentions refusal of online credit applications and e-recruitment of two such examples of automated decision-making.16 One big question, though, is whether online profiling for the purposes of data analytics or targeted advertising are caught by this rule? While the GDPR does not provide absolute clarity on this point, data profiling where an individual’s direct identifying information has been removed through pseudonymisation will significantly reduce any privacy impact on the individual, particularly when keeping in mind the GDPR’s overarching support of pseudonymisation. In view of this, online data analytics or targeted advertising practices based on pseudonymised data seem very unlikely to produce “legal effects” or “significantly affect” individuals – and, as a result, are unlikely to be subject to the explicit consent requirements for automated decision-making mandated by the GDPR. 12) Strictly speaking, the right of access is set out in Article 15. Articles 16 to 18 concern other data subject rights, such as the right to rectification, the right to erasure, the right to restriction of processing and the right to data portability. Pseudonymised data may therefore reduce business obligations in respect of these rights too. 13) See, for example, this ZDNet news item “Reddit users overwhelm Facebook with data requests” at http://www.zdnet.com/article/reddit-users-overwhelm-facebook-with-data-re- quests/ 14) Art 4(3aa) GDPR 15) Arts 20(1) and 20(1a) GDPR 16) Recital 58 GDPR
  • 8. © 2016 Delphix Corp. All rights reserved.Page 8 | The GDPR’s Support for Pseudonymisation THE RISKS OF NON-COMPLIANCE WITH THE GDPR When it comes into effect, the GDPR will introduce severe penalties for businesses that are non-compliant.17 The GDPR creates a two-tier fining regime, indicating that certain breaches of the GDPR can attract fines of up to the greater of EUR10,000,000 or 2% of annual worldwide turnover (i.e. top line revenue) while other, more serious, breaches can attract total fines of up to the greater of EUR20,000,000 or 4% of annual worldwide turnover. In assessing what fines to impose, data protection authorities may take account of “the technical and organisational measures” implemented by businesses18 – and use of pseudonymisation technologies will undoubtedly be an important consideration here. Aside from the risk of fines, the GDPR also grants data protection authorities additional powers, including mandatory audit rights,19 and gives individuals the ability to bring legal claims (or have legal claims brought on their behalf by civil liberties organisations or similar) against non-compliant businesses. The GDPR can therefore be thought of as introducing both a ‘carrot’ and a ‘stick’ approach to encouraging businesses to pseudonymise their data – a ‘carrot’ by virtue of expressly recommending pseudonymisation at specific points in the GDPR and reducing certain obligations on businesses that pseudonymise their data; and a ‘stick’ by threatening significant penalties for businesses that are non-compliant. PSEUDONYMISATION AND DATA MASKING TECHNOLOGY Data masking represents the de facto standard for achieving pseudonymisation, especially in so-called non- production data environments used for software development, testing, training, and analytics. By replacing sensitive data with fictitious yet realistic data, masking solutions neutralize data risk while preserving the value of the data for non-production use. Alternative approaches such as encryption fail across key dimensions. Chief among these is its vulnerability to identity breach, insider threats, or other scenarios in which actors obtain decryption keys: anyone with the right decryption keys can walk past encryption defences and gain access to sensitive data. In contrast, data masking irreversibly transforms sensitive data to eliminate risk from insider and outsider threats alike. PSEUDONYMISATION REQUIRES A DATA FIRST APPROACH While data masking provides organizations with a tool that fits key challenges emerging from the GDPR, businesses must apply it with a “data first” approach that involves greater awareness of how data changes and moves over time, and how to better control it. Specifically, businesses will be most effective in achieving pseudonymisation through masking if they address the following questions: WHERE IS YOUR DATA? Enterprises create many copies of their production environment for software development, testing, backup, and reporting. These environments can account for up to 90% of all data stored and are often spread out across 17) Art 79 GDPR 18) Art 79(2a)(e) GDPR 19) Art 53 GDPR
  • 9. © 2016 Delphix Corp. All rights reserved.Page 9 | The GDPR’s Support for Pseudonymisation multiple repositories and sites. Businesses that understand where their data resides—including sensitive data located in sprawling non-production environments—will be better equipped to allocate protective measures. HOW DO YOU GOVERN YOUR DATA? Very few organisations have a Chief Data Officer or Head of Data Protection. Even those that do may not have adequate control over how data is moved and manipulated because individual business units—each with their own administrators, IT architects, and developers—often define data-related processes at the project level, with little or no corporate policy enforced or even available. Businesses addressing the GDPR must take steps to regain data governance and introduce tools that drive greater visibility and standardization into processes such as data masking. HOW DO YOU DELIVER DATA? Many existing approaches to delivering data are highly manual and resource-intensive, involving slow coordination across multiple teams. Adding pseudonymisation to already cumbersome data delivery processes only adds to this burden and enterprises often end up abandoning efforts to make technologies like data masking work. To effectively implement a technology like data masking, businesses need to not only streamline data delivery, but also ensure that masking is a repeatable and integrated part of the delivery process. THE GDPR: A FORCE FOR POSITIVE CHANGE For many organizations, the GDPR clearly creates an imperative to evaluate and update how they store, manage, and secure data. And critically, the new regulation will also usher in a wave of IT innovation with the potential to not only ensure compliance and reduce the risk of data breach, but also to accelerate critical business initiatives. DATA MASKING USING VIRTUAL DATA For example, innovations that combine virtual data and data masking simplify the process of not only masking data, but also delivering masked data. Such solutions create and deliver lightweight virtual data copies in a fraction of the time and storage space consumed by regular physical copies. Virtual copies are stored, managed, and delivered from a single point of control to maximize data governance. Moreover, data masking can be designed into the data delivery process such that virtual copies are automatically masked. The overall effect is that masked data is created and delivered much faster, facilitating the GDPR compliance and accelerating processes that depend on secure data. Chief among these processes are software development, testing, and analytics projects that—now more than ever—determine how businesses compete and succeed, no matter the industry. Data masking technologies have been around a long time. So why do so many companies fail or simply choose not to use them? The reason is that traditionally they’ve been highly manual, complex pieces of work. Dedicated individuals or teams carry them out and each application must be worked on independently, forcing organisations to prioritise which datasets to mask and which to leave unprotected. In the most recent Bloor Data Masking report, it gives the example of Oracle’s data masking, which “requires the use of the Oracle database (as well as a lot of IT skills)”. The problem with data masking isn’t the masking rules, but the delivery of the masked data. In fact the Bloor report goes on to discuss how some of the standalone methods have become commoditised,
  • 10. © 2016 Delphix Corp. All rights reserved.Page 10 | The GDPR’s Support for Pseudonymisation “..many of the solutions on offer will be selected as much for the complementary capabilities that are offered as for the product’s pure masking capabilities”. Gartner’s December 2015 report, Magic Quadrant for Data Masking Technology, Worldwide provides an example of how data masking paired with Delphix Data Virtualization brings added benefit: “Combining [data masking] with data virtualization saves time and storage; data is masked only once in the virtualized (shared) data and in any changed data, while retaining storage space savings. Data virtualization technology can also save time by keeping copies of the masked data and serving them by request.” So what is Delphix and how does it take a Data First approach to transform a process that’s traditionally slow, siloed, painful, and expensive into something automated, centralised, fast, and efficient? A recent survey Delphix sponsored showed that 90% of non-production data in the enterprise is not masked. The reason is that copying the data from production to non-production can take weeks, even months. Masking that data can add further weeks, and then the data has to be refreshed numerous times in projects, which starts the process all over again. Delphix collects production data and then remains in sync with production forever, creating a near-live copy of the production data. Using this copy, Delphix creates complete and current ‘virtual’ copies of the data via self-service in minutes. You retain full control over all your production data. And because you’re working with only a single real copy as opposed to hundreds, you’ve dramatically reduced the surface layer of attack. You also now have full knowledge of where any virtual copies reside and who can access them, giving that much needed control and governance. Dev/Test & QA NON-PROD NETWORKPRODUCTION NETWORK OFFSITE PUBLIC/HYBRID CLOUD DATA WAREHOUSE DATA RISK INCREASING UAT Operational Data Store AS DATA MOVES INTO NON-PRODUCTION OR LESS SECURE NETWORKS—ESPECIALLY OFF SITE TO THIRD PARTIES OR INTO PUBLIC AND HYBRID CLOUDS—THE DATA CHANGES CONSTANTLY AND THE SURFACE AREA OF RISK INCREASES.
  • 11. © 2016 Delphix Corp. All rights reserved.Page 11 | The GDPR’s Support for Pseudonymisation At the same time, a data masking policy can be set up beforehand, so whenever virtual copies are requested, the data is masked instantly. Data masking simply becomes part of the automated data delivery process. This allows data protection to be embedded within the entire life cycle of the technology, from the very early design stage, right through to its ultimate deployment, use and final disposal. PRODUCTION NETWORK SYNCS DIRECTLY VIRTUALIZE UNMASKED DATA MASKED DATA TO DELPHIX Masked Once OR •• Delphix links directly to production •• Data provisioned from Delphix can be masked or left clear •• Different data are deployed per use case/user role
  • 12. © 2016 Delphix Corp. All rights reserved.Page 12 | The GDPR’s Support for Pseudonymisation SUMMARY The EU GDPR strongly incentivises the pseudonymisation of all personal data. To address this, businesses need greater visibility and control over their data,, coupled with tools that not only mask data, but also streamline and automate that process. Such an approach can help businesses: • Take steps to protect personal data, in accordance with the GDPR requirements. • Avoid the need to report data breach incidents. • Provide tools that enable their legal teams to identify, audit, and report on data. • Reduce or eliminate the requirement to obtain consent for data profiling. • Accelerate IT and business processes that depend on access to secure data. ABOUT DELPHIX Data is the fuel for application projects, and Delphix transforms the way that organizations manage data for their application projects. Delphix Masking seamlessly integrates virtual data with data masking to help customers: • Mask sensitive data faster than ever before. • Deliver secure data in minutes instead of days or weeks. • Ensure compliance with regulations including the GDPR. For more information on how Delphix can help you meet the GDPR requirements, visit delphix.com/solutions/data-masking
  • 13. Page 13 | The GDPR’s Support for Pseudonymisation GDPR Requirements for Data Masking: What IT Needs to Know and Do March 2016 For more information, visit www.delphix.com The Delphix Website also provides the latest product updates. If you have comments about this documentation, submit your feedback to: help@delphix.com Delphix Corp. 275 Middlefield Road, Suite 210 Menlo Park, CA 94025 © 2016 Delphix Corp. All rights reserved. The Delphix logo and design are registered trademarks of Delphix Corp. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.