Delphix exposes challenges posed by GDPR and the “economic need” for enhanced data protection

Delphix, the data virtualisation-centric company, has issued a strong warning for organisations to re-architect operations and adopt a secure, data-first approach ahead of the introduction of the European General Data Protection Regulation (GDPR).

The approval of the GDPR means businesses that store or process European data will be forced to build data protection into system design and infrastructure, or otherwise risk fines of up to 4% of global turnover. In particular, organisations need to closely examine the security of non-production data that’s used to develop and test systems. Independent research has highlighted that up to 90% of non-production data currently sits unmasked within organisations, in turn posing a significant security and compliance risk.

“The GDPR introduces a punitive structure, similar to the measures introduced to prevent price fixing in competition laws, that puts the risk of non-compliance into sharp focus,” commented Iain Chidgey, vice-president of international sales at Delphix.

“In the last few years, we’ve seen blue chip companies pay hundreds of millions in fines for price-fixing scandals, and it’s even forced non-compliant firms into administration. The GDPR risks having the same effect, so companies must have a complete view of their data, treating non-production data with the same security profile as live data.”

The GDPR requires enhanced data security measures to ensure compliance, in particular referencing the use of ‘pseudonymisation’. This is the process of masking confidential data in such a way that it can no longer be attributed to an individual, in turn protecting the data should it ever fall into the wrong hands.

Incentivisation for data masking

The GDPR also incentivises data masking at several different points as follows…

*In the event of a data breach: If the compromised data presents a low risk to the individuals involved (for example, as a result of data masking), then data breach notifications to regulators and affected individuals may not be required. If not, organisations need to notify within 72 hours (a very tight timescale in the event of a serious breach)

*In the event of data disclosure requests: If organisations can demonstrate that individuals cannot be identified from masked data they hold without additional information then they may be exempted from requirements to supply data in response to a data access request (or to erase data on request)

*In support of data profiling: If businesses use ‘pseudonymised’ data, this will significantly reduce any privacy impact on the individual. This means that explicit consent requirements under the GDPR for automated decision-making and profiling are unlikely to apply

“The volume of data copies that are sprawled across non-production environments will require technology that can efficiently protect all data, not only those bits of information that are the most sensitive,” continued Chidgey. “To meet future requirements for data protection, the first step will be understanding where all the data sits in IT environments. The second step will be embracing a new wave of IT innovation to support compliance and reduce the risk of a data breach, but without slowing down projects. Combining data masking with data virtualisation is one way in which organisations can scale up to the security levels that the GDPR requires, ensure compliance and distribute data quickly in order to accelerate critical business initiatives.”

‘Carrot and stick’ approach

Phil Lee (a partner in the privacy, security and information team at international law firm Fieldfisher) said: “The GDPR introduces a ‘carrot and stick’ approach towards promoting data masking. At several points throughout the text, it encourages businesses to adopt ‘pseudonymisation’ technologies, either as part of good information management or by reducing regulatory burdens in the event of unforeseen events such as security incidents. Contrasted against that, companies that are not in compliance with the GDPR face regulators waving a very big stick in the form of potential fines of up to 4% of annual worldwide turnover. That’s a big incentive to do things right.”

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts