The Simple Guide to GDPR Data Protection: Considerations for and File Sharing

Similar documents
Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

GDPR: A QUICK OVERVIEW

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

General Data Protection Regulation (GDPR) Key Facts & FAQ s

General Data Protection Regulation (GDPR)

I GOT ROBBED! HOW NYS AND THE US SHOULD PROTECT YOUR DATA ONLINE

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

EU General Data Protection Regulation (GDPR) Achieving compliance

DATA PROTECTION BY DESIGN

Cybersecurity Considerations for GDPR


Getting ready for GDPR

Accelerate GDPR compliance with the Microsoft Cloud

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

DATA PROCESSING TERMS

Cisco Spark and GDPR. Thomas Flambeaux. Collaboration Consulting Solution Engineer, Security and Compliance. Cisco Connect 2018 Copenhagen April 12th

Privacy Policy. In this data protection declaration, we use, inter alia, the following terms:

WHITE PAPER. Meeting GDPR Challenges with Delphix. KuppingerCole Report

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

DISCLOSURE ON THE PROCESSING OF PERSONAL DATA LAST REVISION DATE: 25 MAY 2018

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

WHITE PAPER. The General Data Protection Regulation: What Title It Means and How SAS Data Management Can Help

Technical Requirements of the GDPR

Privacy Policy of

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

Regulating Cyber: the UK s plans for the NIS Directive

Privacy Notice - General Data Protection Regulation ( GDPR )

A Practical Look into GDPR for IT

NOTICE OF PERSONAL DATA PROCESSING

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

General Data Protection Regulation (GDPR) and the Implications for IT Service Management

General Data Protection Regulation (GDPR)

Google Cloud & the General Data Protection Regulation (GDPR)

GDPR RECRUITMENT POLICY

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

the processing of personal data relating to him or her.

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

PRIVACY POLICY OF THE WEB SITE

Implementing the new GDPR: what does it mean for Universities?

Data Leak Protection legal framework and managing the challenges of a security breach

GDPR Privacy Policy. The data protection policy of AlphaMed Press is based on the terms found in the GDPR.

Data Protection Policy

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Data Breach Notification: what EU law means for your information security strategy

Data Processing Clauses

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

The types of personal information we collect and hold

Data Protection in Switzerland Update Following the Safe Harbor Decision. 21 October 2015 / 6 February 2016 Christian Wyss

Privacy Notice. General Information Protection Regulation ( GDPR )

All you need to know and do to comply with the EU General Data Protection Regulation

The GDPR Are you ready?

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

PRIVACY AND ONLINE DATA: CAN WE HAVE BOTH?

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

1 About GfK and the Survey What are personal data? Use of personal data How we share personal data... 3

General Data Protection Regulation for ecommerce. Reach Digital - 18 december 2017

How the GDPR will impact your software delivery processes

SCHOOL SUPPLIERS. What schools should be asking!

Data Processing Agreement DPA

Privacy Notice. Lonsdale & Marsh Privacy Notice Version July

Investigating Insider Threats

PS Mailing Services Ltd Data Protection Policy May 2018

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Arkadin Data protection & privacy white paper. Version May 2018

L attuale scenario in cyber security all indomani dell adozione di nuovi quadri normativi europei

EY s data privacy service offering

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

General Data Protection Regulation (GDPR) NEW RULES

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

GDPR: A technical perspective from Arkivum

GDPR Compliance. Clauses

Data Processing Agreement

Online Ad-hoc Privacy Notice

GDPR Workflow White Paper

New Spanish Regulation Tightens Up Data Protection Requirements RAFI AZIM-KHAN, JOHN NICHOLSON, ALESSANDRO LIOTTA, AND DOMINIC HODGKINSON

General Data Protection Regulation BT s amendments to the proposed Regulation on the protection of individuals with regard to the processing of

If you have any questions about this notice, please contact the Head Master.

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

GDPR - Are you ready?

Magento GDPR Frequently Asked Questions

Vistra International Expansion Limited PRIVACY NOTICE

Islam21c.com Data Protection and Privacy Policy

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

What is GDPR? Editorial: The Guardian: August 7th, EU Charter of Fundamental Rights, 2000

PRIVACY POLICY PRIVACY POLICY

1. Right of access. Last Approval Date: May 2018

SURGICAL REVIEW CORPORATION Privacy Policy

It is the policy of DMNS Networks PTE LTD (the Company ) to protect the privacy of the users of our Website and Services.

Catalent Inc. Privacy Policy v.1 Effective Date: May 25, 2018 Page 1

Data Protection Policy

Beam Suntory Privacy Policy WEBSITE PRIVACY NOTICE

What You Need to Know About Addressing GDPR Data Subject Rights in Pivot

Privacy Policy CARGOWAYS Logistik & Transport GmbH

Transcription:

The Simple Guide to GDPR Data Protection: Considerations for Email and File Sharing

The European Union s General Data Protection Regulation (GDPR) Uncovering Key Requirements and Methods for Compliance TIM EDGAR, Senior fellow at Brown University s Watson Institute for International and Public Affairs What is GDPR? The European Union s General Data Protection Regulation (GDPR), is the basic framework for protection of personal information of EU citizens. The GDPR lays out detailed requirements governing the collection, use, sharing and protection of personal information. GDPR replaces the EU s existing data protection rules, which were already among the strictest in the world. Previous EU data protection rules were provided in a directive, which means that EU member states were required to pass legislation to make those rules binding. GDPR is a regulation, which means it is directly effective and applies uniformly throughout the EU and in three other nations that are part of the European Economic Area: Norway, Liechtenstein and Iceland. GDPR was adopted in April 2016 and will enter into force on May 25, 2018. While GDPR covers a broad range of data protection and privacy concerns, this paper is specifically concerned with encryption and access control provisions of the regulation. Who is affected by GDPR? GDPR affects all companies or entities who offer goods and services in the EU (whether or not for payment), who monitor behavior in the EU, or who offer goods and services or monitor behavior in Norway, Liechtenstein and Iceland. Note that GDPR will affect many more organizations than existing EU data protection rules. Previously, EU data protection rules depended on whether an entity had an establishment in the EU. GDPR applies worldwide.

GDPR applies to both data controllers and data processors. A data controller is the entity (such as a business) that determines the purposes, conditions and means of processing personal data, while a data processor is the entity that actually processes the personal data (such as a cloud provider or other third party service). The same organization may be both a controller and a processor. If I do not do business in Europe or handle the personal data of EU citizens, should my organization care about GDPR? Yes. The European Union s data protection rules are influential worldwide. The EU makes it easier to transfer personal data outside EU countries if it determines that those nations provide privacy protections that are essentially equivalent to those provided by the EU. As a result, many other countries have adopted similar rules to protect the personal information of their nationals: The UK government announced in June 2016 that it will adopt legislation that implements GDPR even after the UK leaves the EU. More than 100 countries have adopted data protection legislation that is modeled in whole or in part on EU data protection rules. Many of them are likely to update their legislation in light of the EU s adoption of GDPR. What does GDPR consider to be personal data? Some examples include: Name Photo E-mail address IP address Banking or other personal information Medical information Social networking posts Any other data that can used to identify a person What happens if I ignore GDPR? For the most serious violations, organizations can be fined up to a maximum of 20 million or 4% of annual worldwide turnover, whichever is greater. (This is much greater than previous penalties for violating EU data protection rules.)

What are the Technical Requirements? How Does Virtru Help? Virtru s encryption and access management solutions facilitate GDPR compliance in four ways: Strong, easy-to-use client side encryption for emails and files. Complete control of customer encryption keys. Powerful access control tools that allow organizations to maintain control of their data, regardless of where the emails and files are created, stored, or shared. Audit tools that facilitate insight and reporting on when and where email and files have been accessed or shared. Encryption GDPR includes strict security requirements, including encryption, as part of an overall risk-based approach to cybersecurity. Organizations must assess the risk of data loss and data breach, and must consider technical measures to mitigate those risks, including pseudonymization and encryption. Any breaches that do occur must be reported to regulators within 72 hours, and data subjects must be notified without undue delay unless the organization can demonstrate that the data were encrypted. GDPR includes an explicit duty to consider encrypting personal data as part of an overall obligation to use state of the art security measures. As a result, for many organizations and uses, encryption is effectively mandatory. Because encryption is a common security measure and cybersecurity risks are increasing, it is likely that regulators and courts will find that in many if not most situations a decision to forgo encryption is a violation of GDPR. In a report published in 2014 on privacy and data protection by design, the European Union Agency for Information and Network Security (ENISA) examined both client-side and end-to-end encryption. Client-side encryption is generally used by cloud service providers to protect data in transit to and from the cloud provider. End-to-end encryption means that data is stored in the cloud in encrypted form, without the ability of the cloud provider to access it. Significantly, the ENISA report states that services such as electronic mail that mediate communications between end users should prefer to encrypt the communications between users in an end-to-end fashion, meaning the encryption is added at one user end-point and is only stripped at the other end-user end-point, making the content of communications unintelligible to any third parties including the service providers. This is precisely what Virtru provides. E-mails and files are encrypted on the client to protect data before it leaves your device. Although many cloud services (such as Gmail) provide encrypted

channels for communication between customers and the cloud service provider, the content is still available to the service provider. This makes personal data more vulnerable to compromise, both from data breaches and from government surveillance under laws like the Foreign Intelligence Surveillance Act. However, if a customer uses Virtru, the data stored by the service provider is encrypted end-to-end. This meets the security standard that the ENISA report recommends as the state of the art for e-mail. Key Management GDPR mandates a risk-based approach to cybersecurity. It requires that organizations use state of the art technical measures, including encryption, when necessary. This approach implicitly requires organizations to consider the issue of key management as part of their overall policies for the protection of personal data. Here, the ENISA report is also instructive. It states: While the service providers may wish to assist users in authenticating themselves to each other for the purpose of establishing such an end-to-end encrypted channel, it is preferable, from a privacy perspective, that the keys used to subsequently protect the confidentiality and integrity of data never be available to the service providers, but derived on the end-user devices. Virtru s encryption service always ensures that your cloud service provider (such as Gmail) never has access to the encryption keys used to protect your content. Through its Customer Key Server (CKS) offering, Virtru also provides the ability for customers to host their own encryption keys. Keys may be geo-located and hosted either on premise, in a private cloud, or in the public cloud of the customer s choosing. The CKS provides the enterprise with exclusive control of their encryption keys; no cloud provider or other third party has access to unencrypted key material. Access Control GDPR includes many requirements for the handling of personal data that go beyond state of the art security, including encryption. GDPR emphasizes data governance and accountability. It requires organizations to take control of the personal data that they manage. Organizations must show they have adopted policies and procedures to ensure control of personal data. They must use systems that provide privacy by design, that is, data protection by default, not as an afterthought. They must have systems that are capable providing data subjects with their rights under GDPR rights such as expiration and erasure. Virtru provides a host of access control features that enable organizations to meet these requirements. E-mails and files are protected from the time they are created throughout their lifetime no matter where they are shared. Users and administrators decide who can access content, and for how long. Access can be revoked at any time even after e-mails and files have been shared or opened. Virtru also enables automatic expiration after a specific period of time, enabling organizations to enforce retention limits for personal data. Email and file forwarding can be audited, limited, or prevented altogether.

Audit GDPR emphasizes data accountability and audit. Organizations must keep records to show they are complying with GDPR requirements, and make those records available to regulators. Organizations that process personal data on a large scale, or that process particularly sensitive data, must appoint a high-level data protection officer to enforce privacy and data protection policies. Virtru s features will help organizations show they are taking compliance seriously. Administrators can audit access to protected content in real time. They can see when e-mails and files have been forwarded or shared, and who has access to them. Virtru has patented search technology to allow administrators to search archived encrypted content to meet regulatory e-discovery and other legal requirements. Finally, Virtru has data loss prevention (DLP) tools that allow administrators to set rules to automatically protect sensitive content, including personal information, by warning users, adding encryption, notifying administrators, and more. GDPR requirements and Virtru: Quick summary Virtru s data protection software provides capabilities that can help your organization meet these e-mail and file sharing requirements: Topic GDPR Requirements Relevant Virtru Features Risk-based e-mail and cloud encryption Controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk including encryption of personal data along with other security measures. Art. 32. See also preamble, 83, p. 51. Virtru offers e-mail and cloud encryption, using strong AES-256 bit encryption, in an end-to-end fashion.

Topic GDPR Requirements Relevant Virtru Features State of the art security Technical measures, including encryption, must take account of the state of the art, costs, and severity of the risk. Art. 32. According to the European Union Agency for Information and Network Security (ENISA), the state of the art for e-mail encryption requires end-to-end security. Virtru s client-side, end-to-end encryption is the state of the art for e-mail encryption. Key management GDPR does not include specific rules for key management, but it does require that technical security measures to account of the state of the art. ENISA has recognized that users may want to take advantage of encryption service providers while recognizing that it is preferable, from a privacy perspective that service providers do not have access to keys. Virtru allows customers to manage their keys through its customer key server (CKS), or customers may choose to use Virtru s secure key server or another cloud provider. Re-use of personal data for other purposes If a controller wants to take advantage of exceptions that permit the use of personal data for purposes other than those for which it was collected, the controller must take into account the existence of appropriate safeguards, which may include encryption or pseudonymisation. Art. 6(4). Virtru s object-based security allows administrators to set rules for sharing information, control forwarding, and revoke access.

Topic GDPR Requirements Relevant Virtru Features Breach notification exception Generally, controllers must report data breaches to authorities within 72 hours, and to data subjects without undue delay. However, organizations do not have to report breaches to data subjects if the data were made unintelligible to any person who is not authorized to access it through measures such as encryption. Art. 34(3). Virtru s strong AES 256-bit encryption is military grade. Unless both the encrypted content and the keys are compromised, the information remains unintelligible to unauthorized persons. Privacy by design and by default Controllers must consider privacy and data protection in the design of their systems, and this includes technical measures to ensure by default that only necessary personal data are processed. This obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. Art. 25(2) Virtru allows administrators to set rules for data sharing, limit or prevent forwarding of e-mails or files, set expiration dates for data, and includes data loss prevention features to warn users, add encryption, notifying administrators, and more. Access control Controllers shall ensure that by default personal data are not made accessible without the individual s intervention to an indefinite number of natural persons. Art. 25(2). In other words, controllers must show that they can control to whom personal data is provided. Users and administrators decide who can access content, and for how long. Access can be revoked at any time even after e-mails and files have been shared or opened.

Topic GDPR Requirements Relevant Virtru Features Technological neutrality The regulation requires that the protection of natural persons should be technologically neutral. Preamble 14, p. 9 In other words, the requirement to protect personal data should not depend on the technology the organization is using (e.g., storing data on site versus in the cloud. ) E-mails and files are protected from the time they are created throughout their lifetime no matter where they are shared. Virtru does not depend on which device or platform is used. Audit and compliance Personal data may be processed only on certain lawful grounds (contract, vital interests, public interest, among others) or with valid consent of the subject. Consent must be given in clear and plain language. Lengthy, legalistic terms of service agreements will not work. Organizations are required to keep records that demonstrate compliance with these and other rules. Administrators can audit access to protected content in real time. They can see when e-mails and files have been forwarded or shared, and who has access to them. E-mails and files can be classified based on their contents to support data protection actions. Withdrawal of consent The regulations specifies that it must be as easy to withdraw consent as it is to give consent, and that the organization must be able to make effective a data subject s decision to withdraw consent. Virtru permits an administrator to search protected files by keyword (such as name or identification number), and allows revocation of access at any time, even where data has been opened or forwarded. Erasure Data subjects have the right to have data deleted when it is no longer relevant (commonly known as the right to be forgotten ). Rules can be set that revoke access to data after a specific period of time.

Topic GDPR Requirements Relevant Virtru Features Retention and expiration Organizations must specify policies providing for limits on retention of personal data, and ensure that such data will be erased or rendered unusable after a certain time (expiry). Rules can be set that revoke access to data after a specific period of time. About the Author Timothy H. Edgar is a former national security and intelligence official, cybersecurity expert, privacy lawyer and civil liberties activist. Edgar joined the American Civil Liberties Union shortly before the terrorist attacks of September 11, 2001, and spent five years fighting in Congress against abuses in the war on terror. He left the ACLU to try to make a difference by going inside America s growing surveillance state a story he tells in Beyond Snowden: Privacy, Mass Surveillance and the Struggle to Reform the NSA. In 2006, Edgar became the intelligence community s first deputy for civil liberties, advising the director of national intelligence during the George W. Bush administration. In 2009, after President Barack Obama announced the creation of a new National Security Council position specifically dedicated to safeguarding the privacy and civil liberties of the American people, Edgar moved to the White House, where he advised Obama on privacy issues in cybersecurity policy. In 2013, Edgar left government for Brown University to help launch its professional cybersecurity degree program and he is now a senior fellow at Brown s Watson Institute for International and Public Affairs. Edgar also works to help companies navigate cybersecurity problems, and is on the advisory board of Virtru, which offers simple encryption software for businesses and individuals. Edgar has been profiled by CNN s Christiane Amanpour and his work has appeared in the Wall Street Journal, the Los Angeles Times, the Guardian, Foreign Affairs, and Wired, and he is a contributing editor to Lawfare: Hard National Security Choices. Edgar was a law clerk to Judge Sandra Lynch, United States Court of Appeals for the First Circuit, and is a graduate of Harvard Law School and Dartmouth College. www.virtru.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback