Introduction and keeping data in the EU
If you’re in the business of data, it’s time to start planning. The General Data Protection Regulation (GDPR) comes into effect in exactly two years, but it could take businesses that long to prepare to meet the compliance requirements of the new law. And if you don’t? The fines are heavy – up to 4% of global turnover for the previous year.
"Two years sounds like a long time, but businesses big and small need to get their house in order before it’s too late," says Mark Lomas, a senior consultant at Capgemini, who stresses that it’s not just EU-based organisations that need to watch out. "Any business that gathers personal information regarding EU residents will be subject to the compliance rules, regardless of whether that business is in the EU or not."
But exactly how can businesses ensure that personal data is anonymised, and therefore not usable by anyone other than the intended owner?
Significant IT investment
What’s certain is that achieving compliance with the GDPR is going to be expensive. "According to a survey my company conducted amongst 300 European IT professionals, nearly 70% said they’d need to invest in new technologies or services to help prepare the business for the impact of the GDPR," says Michael Hack, SVP of EMEA operations at Ipswitch. "Those technologies were encryption tools (62%), analytics and reporting (61%), perimeter security (53%) and file sharing solutions (42%)."
Keeping data in the EU
One consequence of the GDPR could be a surge in the popularity of cloud server hosting in Europe. "Companies are increasingly looking at technical solutions such as ensuring that data is not transferred to the US, but instead kept on servers in the EU, or anonymising personal data prior to any transfer," says Kolvin Stone, global co-chair, cybersecurity and data privacy at law firm Orrick. However, cloud hosting providers in the US may not be aware of the upcoming change in European law governing stored data, so check before uploading.
Anonymising personal data
Anonymising data is key – once that’s done, the restrictions essentially evaporate. "Technology already exists to anonymise personal data, and legal permissions and exceptions exist under EU and UK law allowing for anonymised data to be used with only limited restrictions," says David Hall, Senior Associate, Mills & Reeve. However, while permanently anonymised data then falls out of the scope of the GDPR, there is one major drawback.
"This kind of data has limited value, and is likely to be useless for many purposes," says Nicky Stewart, Commercial Director at Skyscape Cloud Services. "If it is possible to de-anonymise the data, it is likely to come back into the scope of the law," she says, adding that this complex area will only be made more so by the GDPR. "The scope of what comprises personal data becomes very much wider than today," she adds. That brings to the fore another technique: pseudo-anonymisation.
If the GDPR prevents organisations sharing complete data ‘appropriately’, don’t worry; there’s a tech for that, too. "There are technologies that will pseudo-anonymise information in a reversible manner, such as when the information leaves the organisation, names and other identifying pieces of information are translated to something meaningless," says Guy Bunker, a Senior Vice President at cybersecurity specialist Clearswift.
He explains that ‘Mr Smith’ can be replaced by ‘Person A’, which is then processed by third parties and, when returned, can be re-translated to the original personal data. "This works in some cases, however, when the third-party data processor needs access to the actual information, it obviously won’t work," he says.
A cloud access security broker (CASB) can be used to enforce security policies each time the cloud-based data is accessed, from authentication and credential mapping to device profiling and the next tech we’ll discuss – encryption.
- How to handle the new US-EU data regulations
Advanced encryption and complete anonymisation
Encryption has very much been in the news lately, from Apple’s fracas with the FBI through BYOE to encrypted WhatsApp messages. "One solution is advanced data-centric encryption," says Bill Stroud, principal engineer at Covata. "This encodes each piece of data on the sender’s device and can only be decrypted when the authorised recipient can pass the relevant identity and policy requirements – ensuring data remains unreadable to would-be snoopers."
Put simply, if you want to truly make data safe, encrypt it. However, timing is everything; data should be encrypted before transferring, storing and processing. Nothing should be saved to the cloud without first being encrypted, which protects against any loss of data, too.
Is complete anonymisation actually possible?
Some argue that in the era of geo-location and logged browsing habits, anonymising personal data is becoming almost impossible. "Technology can already build a profile of individuals from their internet browsing habits on an anonymised basis," says Hall. "One of the difficulties is that the profiles become so rich and informative, and so specific on matters such as geographical location, that they can easily edge into constituting personal data rather than anonymous data."
James Henry, UK Southern Region Manager at Auriga Consulting, agrees. "Absolute anonymisation and privacy is far from achievable right now," he says. "One could argue that the exact opposite is far more feasible, since researchers have managed to deploy successful de-anonymisation attacks against several technologies, including onion routing (the famous TOR) and extracting sensitive personal data from open source intelligence utilising big data, machine learning and other techniques."
Recent research at Columbia University indicates that location data makes users highly linkable across different services.
What’s the law around TOR?
This is the so-called ‘dark web’, which obscures the true identity and location of both the user and the service provider. "It could be argued that legitimate sites on TOR would have a slightly reduced regulatory burden in respect of their obligations under the GDPR because it is technically not possible to ascertain who the users are," says Ashley Winton, Partner and UK head of data protection and privacy at international law firm Paul Hastings LLP and Chairman of the UK Data Protection Forum.
Several sites use the anonymity of TOR for the trading of hacked personal data, but for them GDPR compliance is irrelevant. It’s currently ‘cat and mouse’ between government agencies wanting to unmask such TOR users, and those same people evolving their anonymity in response. If the government agencies fail, regulation of TOR is inevitable. "It may develop into a challenging dichotomy between the desire to protect persons whose data is being traded on illegitimate sites on TOR and the desire to protect the rights of legitimate users of TOR," says Winton.
Safety in (smaller) numbers
For many, the best practice on an industry-wide scale would be to minimise the amount of personal data collected. "Unfortunately, we are not currently inclined to limit the data collected, and instinctively services collect and access far more information than they really need," says Ross Woodham, Director of Legal Affairs and Privacy, Cogeco Peer 1. As long as companies blindly build data siloes of personal data they don’t use, the role of encryption and anonymisation technology will only increase.
- What SMBs need to know about the new EU cybersecurity regulations