The European General Data Protection Regulation (GDPR) is effective May25th 2018, with the goal of protecting peoples’ rights in relation to personal data processing. GDPR has a large impact on businesses Worldwide that deal with data both inside and outside the European Union (EU). Specifically, if a business is European or is dealing with personal data of EU citizens, GDPR applies [Article 3]. It defines “personal data” as data that can be used to uniquely identify an individual [Article 4].
It says that companies shall include data protection by design and by default [Article 25], and specifically recommends encryption for confidentiality and integrity in the “Security of Processing” [Article 32]. An example of data protection would be pseudonymization, which means that it cannot be attributed back to a person without additional information that is stored separately from the pseudonymized data [Article 4]. Throughout the law text, encryption and pseudonymization are used together, since encryption is similar to pseudonymization if the encryption key is stored separately.
GDPR should be taken seriously, because there can be severe financial consequences if it’s not. Specifically, penalties can be up to “4% of the worldwide annual turnover” or 20 million Euros [Article 83], whichever is greater.
Data Breach Prevention:
One of the best ways that A1FILO helps customers comply with GDPR is by preventing Data Breaches, even under the assumptions of Malicious Insiders, Human Errors, Infected Devices and Compromised Networks. Data Breaches are so common, that a section of GDPR is dedicated to Data Breaches and how to deal with them [Article 33]. GDPR says that if there is a Data Breach of personal data, the business has 72 hours to report it. Traditionally, companies have hesitated in reporting Data Breaches because of the damage done to their brand, reputation and customer trust. According to GDPR, if encrypted files are stolen, there is no need to report it [Article 34], thereby saving the reputation of the business. A1FILO protects the reputation of the business in the case of a Data Breach because it encrypts everything by default and even if cyphertext is stolen, there will be no breach of personal data, and nothing that needs to be reported. Ask us how we can provide the same protection of Confidentiality, Integrity and Non-Repudiation for individual columns or cells of SQL tables.
Non-Repudiation in Records of Processing:
GDPR requires “Records of Processing Activities” to be kept [Article 30]. A1FILO automatically keeps an immutable cryptographic audit trail of every single file (or possibly cell in a database) that was created, opened or modified in the history of an organization. At any point in time, a customer can see the Timestamp, File Name, User Name, Device Name, Transaction Type, and SHA-256 file hash for all file transactions in the history of their organization. If an organization’s policy allows files to be decrypted, and a sensitive file was decrypted, IT administrators can get all the aforementioned information from the immutable audit trail and hold the relevant parties legally responsible.
Secure by Default:
A1FILO is “Secure by Default and Less Secure by Exception”, which means that it is easiest to use it in its secure mode where files that are created are automatically encrypted by default, and it takes an extra step to use it in its less secure mode which allows the user to create unencrypted files. GDPR encourages data controllers to make sure that accidental events do not compromise confidentiality of data [Regulation 49]. A1FILO’s “Secure By Default” approach helps prevent accidental Data Breaches if a user forgets to take an extra step of protecting data, since the data is protected even if the user does not take any special action to do so. As a result of this approach, A1FILO stops data breaches even if a laptop is lost or stolen from the organization.
Right To Be Forgotten:
Another way that A1FILO can help customers comply with GDPR is by allowing customers to implement a person’s “Right To Be Forgotten” [Article 17]. Currently, it is very difficult to track live versions, copies and backups of data, whether stored online, offline, locally or remotely. Since A1FILO assumes compromised devices and networks, it assumes data has already been exfiltrated from an organization (many copies have been made), but relies on the fact that the key cannot be accessed when an attacker is outside the organization. If the customer wants to implement a person’s right to be forgotten using A1FILO, the customer would be able to delete the key from A1FILO’s key server corresponding to the file that contains the person’s data. Once the key is deleted, all of the copies of the data, regardless of where they reside, are effectively destroyed, because they can never be decrypted again. In cases where data should be automatically destroyed after a certain amount of time, A1FILO can help as well.
Keeping Control over Shared Data:
A1FILO can allow a “controller” [Article 4] to share data with a “processor” [Article 4] or other business partner without losing control of the data or letting the data be forwarded to a “third party”. This concept can apply both at an inter-organizational scope and intra-organizational scope (if crossing geopolitical boundaries inside or outside the EU). In the current State of the Industry, sharing data implies giving up control of the data, which is exactly what happened when Facebook lost control of the data it wanted to share, resulting in the data ending up in the hands of Cambridge Analytica. If personal data must be shared outside the EU, the GDPR compliance requirements still hold [Regulation 101]. Ask us how A1FILO can control WHO opens WHAT data on WHICH devices, WHEN (specific times) and WHERE (geographical location). GDPR goes further to say that “processors should make use of solutions” that preserve the person’s rights under GDPR [Regulation 114]. A1FILO is the solution to allow businesses to share data, and control and monitor which physical machines it is processed on, while still controlling and protecting the Confidentiality, Integrity and Non-Repudiation of the data.
Catch us at InfoSecurity conference in London, June 5-7 2018 as part of the Maryland delegation. Follow @A1Logic for updates.