Ouch! Mask data or pay 4% of global revenues
New European Union (EU) data legislation could take a punishing toll on many companies, with fines as high as 4 percent of global revenues for non-compliance. These regulations apply to every company around the world who has customers in the EU, so they will apply to most Fortune 5000 organizations.
The General Data Protection Regulations (GDPR) will replace individual country laws with a single body of legislation beginning in 2018. But preparing for the introduction of the GDPR legislation will be a challenge for many organizations because of the required data protection measures.
We asked Phil Lee, an expert in data privacy legislation at law firm Fieldfisher, to help us untangle the complex legislation to explain the new data protection obligations and how organizations can avoid massive fines by masking data. (You can download the full white paper here.)
It turns out most companies have a lot to do to get ready, and there's not much time.
GDPR will introduce new EU-wide data protection laws that will differ from current laws which currently reside in each country, and it will apply to any company in the world that processes EU data. The good news: Organizations have two years to get ready. The bad news: Being compliant is no easy task.
Not me, I encrypt everything
Encryption won't be enough to comply with GDPR. Sure, encryption ensures your data in transit is protected a but data at rest, which is accessible to anyone that has credentials for your systems, can get to that data. The GDPR explicitly challenges companies to "pseudonymise" data, which the regulation defines as the process of masking confidential data in such a way that it can no longer be attributed to an individual - protecting the data should it ever fall into the wrong hands.
But companies have only one copy of customer data, right? Not so. Most companies need multiple copies of data for software development, testing, analytics, compliance, financial reporting and backup systems - to name a few examples. For a large bank this could result in thousands of copies of data residing in innumerable pockets within the infrastructure.
This data needs to be useful for the above-mentioned purposes, but how can data be of value yet contain no sensitive information? Masking sensitive data i.e., replacing personal information with "dummy data" that looks real but is worthless to a data thief - is an approach that can meet the requirements of GDPR.
Data masking has been around for years, but due to a lack of enforced legislation, many companies don't bother with the extra time and cost to do so effectively. The new GDPR means this can't happen anymore, which will require organizations to think differently, and proactively, about how to meet the regulation for the long term.
Mask data with Delphix
Delphix software combines all the data across the different enterprise silos into a single copy. Delphix data masking is then applied only once - there's no need for multiple masking projects. Delphix data virtualization then enables IT to create as many virtual copies of the (masked) enterprise data as are needed.
As organizations begin their journeys to comply with the GDPR, data masking can be a strategic asset to CIOs who may already be scrambling to devise long-term plans for coping with the regulation.