The Encryption Burden of GDPR and the New York DFS
The persistently growing threat of cyber attack has begun to spur government agencies to enact security guidelines. These guidelines will have a mounting effecting on private industry.
The most pertinent additions to these official protocols are the European Union’s General Data Protection Regulations (GDPR) and the New York Department of Financial Services (NYDFS) Cybersecurity Regulation. The rules codified by these documents affect IT practices in areas from data loss prevention, to compliance assurance, to data classification.
Both of these sets of protocols will come into effect in the coming period. The first articles of the new DFS regulations have been applicable since March 2017 with encryption requirements coming into effect by next January. GDPR will become European law in May 2018.
And the new rules?
While the technicalities of these two documents differ, both broadly address similar issues.
The guidelines set forth rules on often neglected information security points. Both require access privileges to data to be to be limited, and based on actual need. GDPR and DFS both lay down notification rules, requiring a company to report data breaches within 72 hours of the organization becoming aware of the incident.
Compliance is also big topic.
Both GDPR and DFS require regular submissions of compliance statements to the relevant authorities. This means that security officers of private organizations will be compelled to go over many aspects of company IT with a fine tooth comb to insure that the new rules are being implemented. For this reason these regulations have become a major concern for IT security officers, according to their own testimony.
But the real kicker:
The new regulations, both in their own way, require large scale encryption methods for company data. GDPR for instance requires sensitive identification and personal details to be put through anonymisation and pseudonymisation. The DFS regulations go a step further requiring encryption for potentially compromising data both in transit and at rest.
Even GDPR is structured to strongly encourage broad encryption. Penalties and fines placed on a company for negligence resulting in a cyber-attack are based on the investment the organization places in security measures. And a solid encryption plan can get a company off the hook.
This will be the single biggest challenge to compliance with the new guidelines.
Broad or “blanket” encryption is a large scale effort for any organization and its effects can severely hinder company operations by affecting team collaboration, interfacing security protocols with existing systems, as well as requiring additional operations training.
The smart solution to encryption:
Data encryption may indeed be the most important factor in complying with both GDPR and DFS. However, this move does not have to result in hobbling company operations and overburdening IT with encryption tasks and maintenance.
Content aware discovery, which uses proprietary machine learning and artificial intelligence tools to hone in on sensitive data, increases accuracy and, most importantly, efficiency in data encryption is the smart solution.