GDPR

GDPR

GDPR Tokenization

GDPR – General Data Protection Regulation

The General Data Protection Regulation (GDPR) was promulgated by the European Union (EU) to fortify and amalgamate data protection for all individuals within the EU, Great Britain, and other specific European based countries. GDPR replaces the Data Protection Directive 95/46/EC. The goal of the GDPR is to protect the personal information of all EU citizens and residents by setting standards for the collection, storage, sharing, transferring, processing, and management of various categories of personal information. It also addresses the export of personal information outside the EU. It is designed to standardize data privacy laws across the EU in order to “protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.” With the ever-growing threat of cybercriminals focusing their efforts on stealing personally identifiable information (PII), the GDPR is easily the most important and impactful regulatory scheme adopted by the EU in recent times.

Personal Information is the Focus

GDPR is 100% focused on protecting PII. That is, essentially, any information related to a Natural Person, referred to as a ‘Data Subject,’ that can be used to directly or indirectly  identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

Are Only EU Countries Affected?

While all EU countries are the primary focus, the GDPR also applies to any organization which offers goods or services in those countries, oversees the behavior of EU data subjects, or which manages, stores, processes, or monitors the personal information of any EU residents.

New Call-to-action

When does GDPR go into effect? What are the penalties of non-compliance?

GDPR goes into effect May 2018. Any organization who is found to be not in compliance is subject to a fine of up to 4% of annual global revenue, capped at €20 Million. These are the maximum fines that will be imposed for the most severe violations. GDPR has also established a tiered system in which organizations can be fined 2% of annual global revenue if their records are found inadequate under GDPR guidelines; for failure to notify governing authorities and affected individuals of a data breach; or other failures to perform measures designed to lead to compliance. For purposes of the imposition of fines, the GDPR makes no distinction between controllers and processors. “Cloud Service Providers” are not exempt.

How are controllers and processors defined?

A data controller is any organization that collects personal data from EU residents. A processor is any organization that processes personal data on behalf of a data controller. Processors include cloud service providers which “process” data collected on any data subject (person) residing in the EU. “Processing” is very broadly defined, so includes almost any data manipulation function, such as storage.

Key requirements of GDPR

  • Consent of data subjects for data processing is not mandatory but is encouraged
  • De-identifying (through anonymizing or pseudonymization) collected data to protect privacy
  • Informing individuals and regulatory bodies of a data breach
  • Safely and securely handling the transfer of data across borders
  • Certain organizations will need to appoint a Data Protection Officer to oversee compliance

Governing Bodies

The European Commission is the executive body that represents the interests of the twenty-eight EU commissioners. The commission utilizes a collective decision-making process to propose legislation; enforce European law by utilizing the help of the Court of Justice; represent the EU internationally; set objectives; and manage policies and budget. The Council of the Ministers of the European Union represents the government of each member state. It shares the power of adoption for legislation and the budget with Parliament, and coordinates policy for individual member states, as well as foreign and security policy. Based on proposals from the Commission, the Council is the authoritative body to conclude and sign off on international agreements.

Get Compliant

Articles 17 & 18 – Articles 17 and 18 of the GDPR give Data Subjects more control over personal data that is processed automatically. The result is that Data Subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).

Articles 23 & 30 – Articles 23 and 30 require companies to implement reasonable data protection measures to protect personal data and privacy against loss or exposure.

Articles 31 & 32 – Data breach notifications play a large role in the GDPR text. Article 31 delineates requirements for single data breaches: controllers must notify Supervisory Authorities of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach, such as the nature and the approximate number of data subjects affected. Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breach places their rights and freedoms at high risk.

Articles 33 & 33a – Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.

Article 35 – Article 35 requires that certain companies appoint Data Protection Officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a Data Protection Officer; these “DPO’s” serve to advise companies about compliance and act as a point of contact with Supervising Authorities. Some companies may be subject to this requirement simply because they collect personal information about their employees as part of human resources processes.

Articles 36 & 37 – Articles 36 and 37 outline the Data Protection Officer position and its responsibilities in ensuring GDPR compliance, as well as reporting to Supervisory Authorities and data subjects.

Article 45 – Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.

Article 79 – Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue, depending on the nature of the violation.

Useful Terminology

Binding Corporate Rules (BCRs) – a set of binding rules put in place to allow multinational companies and organizations to transfer personal data that they control from the EU to their affiliates outside the EU (but within the organization)

Biometric Data – any personal data relating to the physical, physiological, or behavioral characteristics of an individual which allows their unique identification

Consent – freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data

Data Concerning Health – any personal data related to the physical or mental health of an individual or the provision of health services to them

Data Controller – the entity that determines the purposes, conditions and means of the processing of personal data

Data Erasure – also known as the Right to be Forgotten, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data

Data Portability – the requirement for controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another controller

Data Processor – the entity that processes data on behalf of the Data Controller

Data Protection Authority – national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union

Data Protection Officer – an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR

Data Subject – a natural person (one who has its own legal personality), whose personal data is processed by a controller or processor

Directive – a legislative act that sets out a goal that all EU countries must achieve through their own national laws

Encrypted Data – personal data that is protected through encryption measures to ensure that the data is only accessible/readable by those with specified access

Enterprise – any entity engaged in economic activity, regardless of legal form, including persons, partnerships, associations, etc.

Filing System – any specific set of personal data that is accessible according to specific criteria, or able to be queried

Genetic Data – data concerning the characteristics of an individual which are inherited or acquired which give unique information about the health or physiology of the individual

Main Establishment – the place within the Union that the main decisions surrounding data processing are made; with regard to the processor

Personal Data – any information related to a natural person, or ‘Data Subject’, that can be used to directly or indirectly identify the person

Personal Data Breach – a breach of security leading to the accidental or unlawful access to, destruction, misuse, etc. of personal data

Privacy by Design – a principle that calls for the inclusion of data protection and security from the onset of the designing of systems, rather than an addition

Privacy Impact Assessment – a tool used to identify and reduce the privacy risks of entities by analyzing the personal data that are processed and the policies in place to protect the data

Processing – any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.

Profiling – any automated processing of personal data intended to evaluate, analyse, or predict data subject behavior

Pseudonymization – the de-identification of personal data such that it can no longer be attributed to a single data subject without the use of additional data, so long as said additional data stays separate to ensure non-attribution

Recipient – entity to which the personal data are disclosed

Representative – any person in the Union explicitly designated by the Controller to be addressed by the Supervisory Authorities

Right to be Forgotten – also known as Data Erasure, it entitles the Data Subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data

Right to Access – also known as Subject Access Right, it entitles the Data Subject to have access to and information about the personal data that a controller has concerning them

Subject Access Right – also known as the Right to Access, it entitles the Data Subject to have access to and information about the personal data that a controller has concerning them

Supervisory Authority – a public authority which is established by a member state in accordance with Article 46

How TokenEx Assists in Achieving GDPR Compliance

TokenEx’s tokenization solutions are well-recognized and accepted forms of pseudonymization, which makes GDPR compliance more certain, less costly, and much easier to accomplish. Tokenization is an advanced form of pseudonymization, as referenced in the GDPR. It is the process TokenEx has used for over a decade to protect the private data of clients worldwide, without a single breach or exposure. As a well-recognized and accepted form of pseudonymization, tokenization can be used to satisfy many of the compliance requirements of the GDPR.

What is Pseudonymization?

“Pseudonymisation” is a form of “de-identification,” a broader but inclusive term used by the National Institute of Standards and Technology in NIST.IR 8053, and is defined as: a “particular type of anonymization that both removes the association with a data subject and adds an association between a particular set of characteristics relating to the data subject and one or more pseudonyms.”

Pseudonymization is been defined in the GDPR as: data that is ‘coded’ (i.e., details such as a data subject’s name and address are replaced with pseudonyms) such that the data cannot be attributed to a particular Data Subject without the use of additional information.
There are generally two forms of pseudonymization, tokenization and encryption. For encryption, the Parliamentary text requires that the ‘encryption key’ necessary to identify data subjects be kept separately from the coded data, and is subject to technical and organizational security measures to prevent inadvertent re-identification of the coded data. Tokenization, in contrast, requires no “key” and is thus an easier and more efficient method of pseudonymization.

Personal Data Designation

Under the GDPR, pseudonymous data will still be treated as personal data, but it will likely be subject to less stringent protections.

Using its own tokenization utility, TokenEx will be fully compliant with GDPR requirements well before the May 5, 2018 effective date. Tokenization is the foundation of TokenEx’s data security platform, a complete data privacy and vaulting service used by its worldwide clients. For more information on TokenEx, its tokenization utility and GDPR compliance issues, please email compliance@tokenex.com.

When does GDPR go into effect? What are the penalties of non-compliance?

GDPR goes into effect May 2018. Any organization who is found to be not in compliance is subject to a fine of up to 4% of annual global revenue, capped at €20 Million. These are the maximum fines that will be imposed for the most severe violations. GDPR has also established a tiered system in which organizations can be fined 2% of annual global revenue if their records are found inadequate under GDPR guidelines; for failure to notify governing authorities and affected individuals of a data breach; or other failures to perform measures designed to lead to compliance. For purposes of the imposition of fines, the GDPR makes no distinction between controllers and processors. “Cloud Service Providers” are not exempt.

How are controllers and processors defined?

A data controller is any organization that collects personal data from EU residents. A processor is any organization that processes personal data on behalf of a data controller. Processors include cloud service providers which “process” data collected on any data subject (person) residing in the EU. “Processing” is very broadly defined, so includes almost any data manipulation function, such as storage.

Key requirements of GDPR

  • Consent of data subjects for data processing is not mandatory but is encouraged
  • De-identifying (through anonymizing or pseudonymization) collected data to protect privacy
  • Informing individuals and regulatory bodies of a data breach
  • Safely and securely handling the transfer of data across borders
  • Certain organizations will need to appoint a Data Protection Officer to oversee compliance

Governing Bodies

The European Commission is the executive body that represents the interests of the twenty-eight EU commissioners. The commission utilizes a collective decision-making process to propose legislation; enforce European law by utilizing the help of the Court of Justice; represent the EU internationally; set objectives; and manage policies and budget. The Council of the Ministers of the European Union represents the government of each member state. It shares the power of adoption for legislation and the budget with Parliament, and coordinates policy for individual member states, as well as foreign and security policy. Based on proposals from the Commission, the Council is the authoritative body to conclude and sign off on international agreements.

Get Compliant

Articles 17 & 18 – Articles 17 and 18 of the GDPR give Data Subjects more control over personal data that is processed automatically. The result is that Data Subjects may transfer their personal data between service providers more easily (also called the “right to portability”), and they may direct a controller to erase their personal data under certain circumstances (also called the “right to erasure”).

Articles 23 & 30 – Articles 23 and 30 require companies to implement reasonable data protection measures to protect personal data and privacy against loss or exposure.

Articles 31 & 32 – Data breach notifications play a large role in the GDPR text. Article 31 delineates requirements for single data breaches: controllers must notify Supervisory Authorities of a personal data breach within 72 hours of learning of the breach and must provide specific details of the breach, such as the nature and the approximate number of data subjects affected. Article 32 requires data controllers to notify data subjects as quickly as possible of breaches when the breach places their rights and freedoms at high risk.

Articles 33 & 33a – Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.

Article 35 – Article 35 requires that certain companies appoint Data Protection Officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a Data Protection Officer; these “DPO’s” serve to advise companies about compliance and act as a point of contact with Supervising Authorities. Some companies may be subject to this requirement simply because they collect personal information about their employees as part of human resources processes.

Articles 36 & 37 – Articles 36 and 37 outline the Data Protection Officer position and its responsibilities in ensuring GDPR compliance, as well as reporting to Supervisory Authorities and data subjects.

Article 45 – Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.

Article 79 – Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue, depending on the nature of the violation.

Useful Terminology

Binding Corporate Rules (BCRs) – a set of binding rules put in place to allow multinational companies and organizations to transfer personal data that they control from the EU to their affiliates outside the EU (but within the organization)

Biometric Data – any personal data relating to the physical, physiological, or behavioral characteristics of an individual which allows their unique identification

Consent – freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data

Data Concerning Health – any personal data related to the physical or mental health of an individual or the provision of health services to them

Data Controller – the entity that determines the purposes, conditions and means of the processing of personal data

Data Erasure – also known as the Right to be Forgotten, it entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data

Data Portability – the requirement for controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another controller

Data Processor – the entity that processes data on behalf of the Data Controller

Data Protection Authority – national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union

Data Protection Officer – an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR

Data Subject – a natural person (one who has its own legal personality), whose personal data is processed by a controller or processor

Directive – a legislative act that sets out a goal that all EU countries must achieve through their own national laws

Encrypted Data – personal data that is protected through encryption measures to ensure that the data is only accessible/readable by those with specified access

Enterprise – any entity engaged in economic activity, regardless of legal form, including persons, partnerships, associations, etc.

Filing System – any specific set of personal data that is accessible according to specific criteria, or able to be queried

Genetic Data – data concerning the characteristics of an individual which are inherited or acquired which give unique information about the health or physiology of the individual

Main Establishment – the place within the Union that the main decisions surrounding data processing are made; with regard to the processor

Personal Data – any information related to a natural person, or ‘Data Subject’, that can be used to directly or indirectly identify the person

Personal Data Breach – a breach of security leading to the accidental or unlawful access to, destruction, misuse, etc. of personal data

Privacy by Design – a principle that calls for the inclusion of data protection and security from the onset of the designing of systems, rather than an addition

Privacy Impact Assessment – a tool used to identify and reduce the privacy risks of entities by analyzing the personal data that are processed and the policies in place to protect the data

Processing – any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.

Profiling – any automated processing of personal data intended to evaluate, analyse, or predict data subject behavior

Pseudonymization – the de-identification of personal data such that it can no longer be attributed to a single data subject without the use of additional data, so long as said additional data stays separate to ensure non-attribution

Recipient – entity to which the personal data are disclosed

Representative – any person in the Union explicitly designated by the Controller to be addressed by the Supervisory Authorities

Right to be Forgotten – also known as Data Erasure, it entitles the Data Subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties cease processing of the data

Right to Access – also known as Subject Access Right, it entitles the Data Subject to have access to and information about the personal data that a controller has concerning them

Subject Access Right – also known as the Right to Access, it entitles the Data Subject to have access to and information about the personal data that a controller has concerning them

Supervisory Authority – a public authority which is established by a member state in accordance with Article 46

How TokenEx Assists in Achieving GDPR Compliance

TokenEx’s tokenization solutions are well-recognized and accepted forms of pseudonymization, which makes GDPR compliance more certain, less costly, and much easier to accomplish. Tokenization is an advanced form of pseudonymization, as referenced in the GDPR. It is the process TokenEx has used for over a decade to protect the private data of clients worldwide, without a single breach or exposure. As a well-recognized and accepted form of pseudonymization, tokenization can be used to satisfy many of the compliance requirements of the GDPR.

What is Pseudonymization?

“Pseudonymisation” is a form of “de-identification,” a broader but inclusive term used by the National Institute of Standards and Technology in NIST.IR 8053, and is defined as: a “particular type of anonymization that both removes the association with a data subject and adds an association between a particular set of characteristics relating to the data subject and one or more pseudonyms.”

Pseudonymization is been defined in the GDPR as: data that is ‘coded’ (i.e., details such as a data subject’s name and address are replaced with pseudonyms) such that the data cannot be attributed to a particular Data Subject without the use of additional information.
There are generally two forms of pseudonymization, tokenization and encryption. For encryption, the Parliamentary text requires that the ‘encryption key’ necessary to identify data subjects be kept separately from the coded data, and is subject to technical and organizational security measures to prevent inadvertent re-identification of the coded data. Tokenization, in contrast, requires no “key” and is thus an easier and more efficient method of pseudonymization.

Personal Data Designation

Under the GDPR, pseudonymous data will still be treated as personal data, but it will likely be subject to less stringent protections.

Using its own tokenization utility, TokenEx will be fully compliant with GDPR requirements well before the May 5, 2018 effective date. Tokenization is the foundation of TokenEx’s data security platform, a complete data privacy and vaulting service used by its worldwide clients. For more information on TokenEx, its tokenization utility and GDPR compliance issues, please email compliance@tokenex.com.