NOTICE: Branded Content
NOTICE: Certain versions of content (“Material”) accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.
Protect Your Assets
cancel

You Missed the GDPR on-ramp — now what?

You Missed the GDPR on-ramp — now what?

Micro Focus Contributor RONL_MCRO

If you’re driving down the street and you miss the highway entrance, the experts say that you are not supposed to back up and try again. But what happens if you missed the GDPR deadline? You don’t get a free pass, and in fact, you better figure out where you are on the map – “re-calculate” and then proceed to get safely and efficiently on your way.

You Missed the GDPR Turn.jpgIn case you missed it, the General Data Protection Regulation, or GDPR, is an European Union (EU) law that went into effect on Friday, May 25th, 2018.  Even if your organization is not located in the EU, the GDPR applies to processing personal information on subjects residing in the EU as well as on EU citizens no matter where they are.  For instance, doing global business online or offering goods and services that EU residents can purchase, almost by definition means you’re impacted and should be GDPR-compliant. 

Although there has been a two-year preparation period for this date, if you’re not yet compliant, you’re not alone.  The consulting firm Gartner estimates more than 50 percent of companies affected by the GDPR will not be in full compliance with its requirements

Re-calculating

You may not be too far off course, just running late…  Perhaps your organization is not yet in compliance, but you have begun the process, and are well aware it is a journey involving policy, procedure and people, as well as technology. If senior management is on board, you probably have a data protection officer (DPO) assigned, Legal is fully engaged, and you have defined process owners, then you are certainly well underway. You may be positioned to apply technology solutions now, especially if the use of personal data in your business has already been understood and minimized.    

While most organizations are accustomed to addressing national and industry privacy regulations, the GDPR is different in significant ways because it provides a common set of rules and practices that apply to, and can be enforced across the EU, and maybe the world, through substantial fines. 

The GDPR seeks to protect the privacy of the individual as a fundamental right. Under the GDPR, a person who feels unprotected may bring any organization under regulatory scrutiny by filing a complaint, including a request (more like an order) that their personal data be erased. In this and many other ways the GDPR is forcing organizations to think differently about data protection. 

Thinking differently about data protection

With regulations there is always the temptation to look for ‘check-box’ compliance.  But with the GDPR, the risks – and the rewards – are potentially higher than with other regulations. The potential penalties built into the GDPR mean it is necessary to assume and prepare for data breach.  Effective risk mitigation includes minimizing data and improving security with solutions such as authorization and access management, and protection techniques such as pseudonymization of personal data. 

The GDPR specifically calls out the use of pseudonymization and encryption mechanisms as acceptable means for protecting data. Pseudonymization is often used as a general term that can apply to various techniques for data de-identification when the pseudonym or surrogate data can be used in business processes. Field-level encryption and tokenization are both examples of pseudonymization. Anonymization is a non-reversible technique which can fulfill the right of erasure of personal data, or the right to be forgotten. 

Micro Focus can help

It just so happens that Micro Focus has the security portfolio to help you address GDPR requirements. Our Identity and Access Management software can limit your users to accessing only the systems, applications, and data required to do their jobs.  

Our data security portfolio protects data across hybrid IT. With the newly announced Voltage SecureData Sentry, privacy compliance can now be seamlessly enabled end-to-end for commercial or proprietary applications that are mission-critical to the business, including migration to cloud workloads.  SecureData Sentry extends format-preserving encryption and tokenization to pseudonymize data to or from the cloud, and in and out of applications and databases.  In addition, Format-Preserving Hash, the newest innovation in Voltage data protection methods, provides non-reversible de-identification, supporting use cases which call for data anonymization, such as Article 17, the right to erasure. 

But before you can protect the data, you need to identify your “sensitive” data throughout your systems. Our Data Privacy Manager solution enables you to manage and protect sensitive structured data throughout its lifecycle. From discovery and classification throughout hybrid IT to protection and reporting, Data Privacy Manager enables management of data from a single ‘pane of glass.’ 

On the road again!

These are only a few of the solutions which will help you build an effective plan for a smooth journey to GDPR compliance.  To help you get back on the road again, we wrote a free ebook, Simplifying GDPR Compliance, on the steps your organization could take to mitigate risk and derive business value as you take on the GDPR!

0 Kudos
About the Author

RONL_MCRO

Ron LaPedis, a global enablement specialist at Micro Focus, is a prolific author, blogger, and speaker with more than 21 years of information security, business continuity, and emergency response experience. After 25 years with Hewlett Packard in various domestic and overseas positions, he worked for Citrix, NetApp, and most recently Sungard AS before joining us to focus on identity, access, and security. Ron holds several certifications including AFBCI, MBCP, CBCV, CISSP-ISSAP and ISSMP.