With GDPR on its way, the proper protection of data is paramount for any business looking to avoid the huge fines that regulators are warning will be meted out to those who don’t meet compliance standards. Compliance will be an organisation-wide project involving education on policies and best practices, as well as the actual implementation of system and security upgrades. Encryption, anonymisation and pseudonymisation are some of the most common techniques used to secure personal data, making them hot topics around the impending legislation.
What’s the difference?
Encryption
Widely regarded as the safest and most straightforward technique to secure data, encryption will transform sensitive or personal information into totally unintelligible data – making it useless to anyone trying to access it unlawfully.
On the flip side, because encrypted data cannot be searched and analysed before it’s decrypted, one of the biggest challenges for businesses is finding the balance between data security and usability.
Anonymisation
Anonymisation involves removing all identifiers in a non-remediable way, which means there’s no single ‘pseudo id’ associated to data that can be linked back to any one person.
That can double as a limitation however, and as such, anonymisation is most useful for things such as statistical analysis.
Pseudonymisation
Often used as an alternative to encryption, pseudonymisation, allows a business to remove personal identifiers from sensitive data, so it contains only pseudo identifiers.
It's false anonymisation essentially, as the data can be linked back to a person, but it's considered a secure approach because the personal identifiers are stored elsewhere.
Pseudonymisation is mentioned no less than 15 times throughout the directive, and has been singled out as a good security strategy for companies working to improve their data protection armoury, ahead of the May 2018 deadline.
The GDPR defines it as:
[...] the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
But what does that really mean?
Pseudonymisation is a technique for encoding personal data, replacing personal identifiers on things such as email address, date of birth, gender, religion and nationality, with random code.
This pseudo-front is supported by a master table that can map codes back to real identifiers when the original information is required for processing or in the case of a data request from an individual.
It works in the same way a writer might work under a pseudonym, masking their identity, and with the new GDPR green card, businesses are motivated to make it their go-to protection tool.
How much is enough when it comes to security?
The GDPR talks a lot about ‘appropriate security measures’ and asks that data controllers and processors ‘implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk’.
That’s a measure in itself, and it’s set against a myriad of other considerations including implementation costs and the rights and freedoms of the data subject. It’s one of hundreds of judgement calls businesses will be expected to make, and one more reason companies are leaning so heavily on professional advice when it comes to the GDPR and what it takes to meet their obligations.
Getting good advice is essential
Knowing that pseudonymisation offers a GPDR-approved solution is one thing, but putting it to work is another, and companies will be asked to consider the nature of the data they are processing, in much greater detail.
For example:
A business processing large amounts of sensitive data may need to look at hardwiring encryption into the systems that touch the information, to tick the ‘appropriate security measures’ box.
While a smaller company storing small amounts of data, such as IP addresses on a secure server, might sidestep the need to run an expensive encryption programme. A company transferring masses of health data from one entity to another, might need to encrypt all data, at rest and in transit.
Each situation is different, and the security solutions can be just as varied, so it’s important that the person(s) making the decisions understand where the regulation has flexibility and where belt and braces security applies - because getting it wrong could cost the business dearly.
A GDPR consultant can help your business make the right IT decisions around any changes you need to make. They should also be able to implement whatever tech support and advice you need without disruption to your everyday operation - helping you transition into a GDPR-compliant world in the most cost-efficient and operationally smart way.
Success comes with accountability
Accountability comes through loud and clear as a prerequisite for the GPDR, so ensuring the processes and procedures around your data security are adequately documented will go a long way to helping you meet other requirements of the legislation, such as those around consent, data security and breach notification.
Indeed, the very act of working through your procedures - assessing and documenting roles and responsibilities - can help you identify any gaps in your processes or highlight where you need additional knowledge or expertise, ahead of the deadline.
The potential for administrative fines, litigation and brand and reputational damage for non-compliance is very real. And, with the threat of fines of up to €20 million or 4% of annual worldwide turnover discussed widely, businesses are right to be concerned about which company or industry will be the first to fall foul and be made an example of.
There’s no doubt the legislation is complex, but with the right help, everything is possible. No one knows exactly what the world will look like after the May deadline, but as the saying goes, those who fail to prepare can most definitely prepare to fail.
As certified GDPR experts, pebble.it can help you meet GDPR compliance across your organisation, assessing the systems and policies you have and advising on what you need to do to avoid the risk of regulatory fines.
Discover the steps that will put you on the road towards compliance and how we can help you get there by downloading our GDPR-readiness checklist:
