PKWARE discuss GDPR and the case for Smart Encryption
Tim Compston, Features Editor at Security News Desk, finds out why V. Miller Newton, President and CEO, of PKWARE – a leading provider of enterprise level smart encryption – and his colleague Matt Little, Product Development VP, are warning that organisations need to start to prepare now for the implications of the European Union’s General Data Protection Regulation (GDPR) by evaluating their current policies and data protection measures. The GDPR is set to fundamentally change the way that organisations collect, store and use personal information.
PKWARE reckons that the GDPR, which becomes an enforceable law in all EU countries in early 2018 and replaces the Data Protection Directive (DPD), will remain a key consideration for UK businesses that operate in the EU – whatever happens post-Brexit. A key element that comes into play here is of course the GDPR’s expanded territorial scope. Whilst the DPD, according to PKWARE, applied stricter standards to companies based in the EU than companies based elsewhere now, crucially, the GDPR will apply equally to any company that operates in the EU. One of the headline grabbing aspects of the GDPR is the heavy penalties that are envisaged for non-compliance.
Given that the GDPR heralds such a step-change in data protection, PKWARE has produced a whitepaper on the subject entitled ‘Data Protection by Design – Preparing for Europe’s New Security Regulations’. Interestingly – as the whitepaper explains – the GDPR is now a regulation rather than a directive like the DPD so it has the force of law immediately, without the need for separate legislation in member states. In practice this means that, moving forward, the whole EU will have a single data security law rather than having to contend with a ‘patchwork of conflicting rules’ across the EU which resulted from the DPD which preceded it.
For his part, V. Miller Newton feels that a tougher regulatory environment can make a real difference to demand for encryption solutions, citing changes in the US on the healthcare front and the European Union’s GDPR (General Data Protection Regulation) to underline this:
“As soon as it becomes regulatory – and there are stiff penalties associated with that – you get a different level of attention. We saw that in the US with HIPAA [Health Insurance Portability and Accountability Act] which was initially a guideline but then it got some meat on it – a regulatory component – with fines and that is when healthcare companies really got serious about encryption. The same is happening in Europe with GDPR.”
Reflecting on the GDPR, Newton’s colleague, Matt Little, PKWARE’s Product Development VP, agrees on the penalty point, saying: “Companies have grown accustomed to paying fines for failing to protect sensitive customer information. There has to be a compliance regulation in place in order to ensure security, otherwise there is no driver to do it. The four percent global turnover penalty for failing to comply with the GDPR aims to provide that incentive,” concludes Little.
Another key advance with the GDPR which PKWARE’s whitepaper flags-up is that, although many provisions are similar to the DPD, it includes requirements which address concerns related to: mobile technology, social media and international data transfers. For Newton the future of encryption in the contemporary world of the cloud, Internet and mobile devices, is in his words to ‘armour the data at its core’: “This is with persistent security that follows the data every place that it is used, shared, or stored. The days of ‘castle and moat’ security, the days of security at rest, are gone because information moves around the world all the time as do the people who use it.”
Newton adds that with the GDPR the central concept of ‘data protection by design’ and ‘data protection by default’ are in keeping with PKWARE’s ethos of smart encryption. Matt Little also reiterates that the GDPR has specified encryption as the highest level of protection: “Companies will need to provide regulators with documented proof that they were persistently protecting data. Assessments will be done from a ‘was the customer affected?’ perspective.”
Little concludes by pointing out that another practical implication of the GDPR is that companies will have to hire a data protection officer: “The IAPP [International Association of Privacy Professionals] estimates there will be 30,000 new data protection officers in the next two years.”