& cplSiteName &

Europe's GDPR: Don't Get Lost in Translation

Jeff Harris
7/7/2017
50%
50%

In May 2018, the General Data Protection Regulation (GDPR) will come into effect. The regulation will unify data protection for all individuals within the European Union (EU) as well as EU citizens traveling abroad. Some organizations have already begun transitioning to GDPR compliance -- many since 2016 when the rules were established -- and companies across the globe effectively have another 12 months to fulfill the requirements.

Once enacted, the GDPR will impact organizations in two major ways as it relates to security and visibility. First, any EU-based company will need to ensure that its customers' personal data (at-rest or in-motion) complies with the GDPR, not to mention make sure that no data is transported outside of the EU, except by design.

This will require advanced planning. For instance, if employees of an EU-based company are pointed to non-EU software-as-a-service (SaaS) services, the process will require visibility into the workings of the SaaS application and/or that the SaaS vendor be very transparent with its architecture. Even the terms and definitions are important to track and plan around. The term "personal data" is growing in scope, relating to any private or professional data including names, addresses, photos, email addresses, bank details, social postings, medical information, or even his or her IP address.

Here's what organizations can expect when becoming GDPR compliant and how they can effectively navigate it.

What this means for visibility
At a high level, the GDPR will have a major impact on the kind of data that can be collected and recorded, and how that data is handled and stored. As such, effective visibility architectures must safeguard and keep data within the EU while offering a comprehensive perspective. In the transition, on-premises and private cloud architectures will probably be the easiest to handle.

The public cloud, on the other hand, will require more effort. Despite its wider scope and the seeming lack of control for organizations whose data the public cloud processes, the public cloud will still need regular audits and robust visibility. Additionally, irrespective of environment, one basic precept in the GDPR is that data should always be pseudonymized, which can also limit how much can be seen.

To further complicate matters, the fact that IP addresses are considered personal data under GDPR adds a complexity to the whole process. In some ways, this turns the traditional approach to visibility upside-down. Instead of opening up the network to further analysis with increasingly powerful tools, a balance is now required in restricting the flow of confidential data. In implementing a visibility architecture, IP addresses must be therefore be protected as well.

Seeing what you need to see
The above illustrates a conundrum for many: the need for widespread visibility while also obfuscating sensitive information in private, public and hybrid environments. Fortunately, there are tools and methods that together can make the process much easier.

For instance, data masking, originally developed to secure Personally Identifiable Information (PII) data, is ideal for GDPR compliance. With data masking, administrators can set any data pattern or offset for masking -- credit card records, social security numbers and IP address -- with a simple, effective GUI. Further, a strong visibility architecture that supports geolocation of user data can help identify traffic originating in the EU. When combined, data masking and geo-location (with or without encryption) can help facilitate GDPR compliance.

Do not forget encryption either. Regardless of the efficacy of the first steps, encryption and, in turn, decryption should never be stopped. While SSL encryption protects, decryption is effective for security purposes such as identifying cyber-threats in malicious payloads that take advantage of SSL encryption's prevalence. If and when organizations do not want to have something encrypted, they can simply mask sensitive data instead of encrypting it. But they should not be seen as the same.

Beyond the EU network
Outside of the EU, things get interesting, since any organization touching data belonging to EU citizens must offer the same protection. Processes and technology that comply with the GDPR must be used as a result of the difficulty in segregating customer data so that it corresponds with individuals. This is the case across entire infrastructures. For example, a bank's ATM machine may serve both US and EU citizens.

This step can be exceptionally challenging considering the growth of hybrid cloud environments. Where an organization processes data both on-premises and in a cloud, encryption between the two domains is mandatory. Visibility can be difficult in these circumstances. But again, data masking can help. Extended into the cloud, it can ensure that those responsible for building visibility into a SaaS offering, or within a private cloud, will maintain GDPR compliance. Organizations cannot always control how others handle data, but they can control what they choose to deliver.

Ultimately, compliance will require up-front infrastructure and process planning that ends in "data protection by design and data protection by default." And everyone is implicated, from "data controllers" collecting data to "processors" that process the data on behalf of the controller. What is outlined above can get you started on the road to compliance -- have you started down the right path?

— Jeff Harris, VP Solutions Marketing, Ixia

(0)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
More Blogs from Column
Despite Apple's recent embrace of the new AVI video codec, service and content providers should still place their bets on HEVC now and worry about AVI later.
How pay-TV operators can unleash the power of AI and deep learning to compete in the rapidly changing video market.
Accurate real-time visibility into next-generation networks and clouds is essential for operators' digital transformation and 5G strategies.
Intent-based – or outcome-driven – networking attempts to automatically provision networks based on our ability to define our intent or outcome, but is IBN the right approach to advancing network automation?
Managing the multicloud environment means addressing security challenges such as protecting access, ensuring data encryption and achieving consistency with data security across diverse cloud platforms.
Featured Video
From The Founder
The world of virtualization is struggling to wrench itself away from the claws of vendor lock-in, which runs counter to everything that NFV stands for.
Flash Poll
Upcoming Live Events
March 20-22, 2018, Denver Marriott Tech Center
March 22, 2018, Denver, Colorado | Denver Marriott Tech Center
March 28, 2018, Kansas City Convention Center
April 4, 2018, The Westin Dallas Downtown, Dallas
April 9, 2018, Las Vegas Convention Center
May 14-16, 2018, Austin Convention Center
May 14, 2018, Brazos Hall, Austin, Texas
September 24-26, 2018, Westin Westminster, Denver
October 9, 2018, The Westin Times Square, New York
October 23, 2018, Georgia World Congress Centre, Atlanta, GA
November 8, 2018, The Montcalm by Marble Arch, London
November 15, 2018, The Westin Times Square, New York
December 4-6, 2018, Lisbon, Portugal
All Upcoming Live Events
Hot Topics
21st Century Networking? Welcome to the Lock-In
Steve Saunders, Founder, Light Reading, 2/20/2018
How Long Before We Hit Peak MWC?
Iain Morris, News Editor, 2/23/2018
Stakes Run High for Tivo in Comcast Suit
Mari Silbey, Senior Editor, Cable/Video, 2/20/2018
Liberty Global: Not So Fast on D3.1
Alan Breznick, Cable/Video Practice Leader, Light Reading, 2/20/2018
AT&T Reveals Initial 5G Cities
Dan Jones, Mobile Editor, 2/21/2018
Animals with Phones
Live Digital Audio

A CSP's digital transformation involves so much more than technology. Crucial – and often most challenging – is the cultural transformation that goes along with it. As Sigma's Chief Technology Officer, Catherine Michel has extensive experience with technology as she leads the company's entire product portfolio and strategy. But she's also no stranger to merging technology and culture, having taken a company — Tribold — from inception to acquisition (by Sigma in 2013), and she continues to advise service providers on how to drive their own transformations. This impressive female leader and vocal advocate for other women in the industry will join Women in Comms for a live radio show to discuss all things digital transformation, including the cultural transformation that goes along with it.

Like Us on Facebook
Twitter Feed