Data Loss Protection (DLP) capabilities will be required to aid in the prevention of inadvertent data breaches, by blocking outgoing email, other messages and file movements that contain personal data that has not been protected by appropriate safeguards, e.g., data encryption. In some situations encryption can be automatically applied to personal data when it is classified or identified in an email message or document attachment, while in other situations it would make more sense to quarantine the message to enable an organizational response.
Encryption is one of the few specific technologies called out in the text of the GDPR, and its presence there essentially mandates its use by organizations. Encryption of data in systems and applications reduces the potential impacts of a data breach because the data is rendered useless – meaning that data subjects cannot be identified – without the encryption key. For complete protection in all use cases, encryption should protect data at rest and while being used in applications to ensure that if a breach occurs on any system, the information remains confidential and does not trigger the GDPR penalties. Some vendors offer the ability to encrypt personal data within an existing database format, thereby greatly enhancing the level of data protection while not requiring a re-development of current systems and applications.
This style of encryption of data enables encryption of data while at rest, in-use or in motion, because the existing database and applications can continue to function normally without relying on the use of data in the clear. With appropriate organizational safeguards, this can then enable secure data analytics on data in production environments. A related and important consideration is tokenization because of the additional protection it can afford by offering additional data residency assurance.
Another important use of encryption technology is the encryption of communications inside and outside the organization, such as via emails. Email remains the main form of collaboration in enterprises, with the average user receiving over 100 emails per day and sending 30. These emails and attachments could represent one of the most vulnerable points in the journey of data inside and outside a company’s network. Either by the automated trigger of a DLP and/or by user initiation (classifying or adding classified attachments), sensitive emails must be protected with email encryption. Email encryption needs to be capable of protecting both internal and external sensitive messages and all attachments. Some email encryption solutions Can also be used to encrypt all data flowing into a cloud-office application provider, including files used in collaboration. The separation of duties between encryption and storage providers gives end-users peace of mind in the cloud.
The GDPR requires notification to a supervisory authority within 72 hours of detecting a data breach, as well as notification to individual data subjects if there is a high likelihood that the data breach will have adverse effects for them (for example, because personal or sensitive personal data was breached). By implication, therefore, organizations need the ability to proactively sense that data has been breached, audit the extent of the breach, and create an appropriate organizational response. DLP, as noted above, is an example of a specific technology to aid in this area, along with other relevant technologies, including communications analytics, penetration testing software and services, threat protection, anti-malware, and monitoring of how privileged user accounts are accessing personal and sensitive data sources.