In April 2016, the General Data Protection Regulation was signed into law by the European Parliament and was enforceable as of May 25th 2018. This EU regulation lays out a wide number of policies that require businesses to protect personal data. Companies must have policies and technology controls to securely store or transfer personal data of any person residing in the EU. The way the various articles of the regulation read, this means at a minimum that data needs to be encrypted or made anonymous.
Who is impacted by GDPR?
There are a number of groups that are affected by GDPR.
- Companies that store personal information of anyone living in the EU, referred to as controllers. This is the most obvious group that would be affected by the regulation. What is not so obvious is that the company doesn’t have to be in the EU. Even if the company is in the USA, China, Australia, Brazil, or South Africa, the company still has to follow these regulations if they store personal data of someone living in the EU.
- Companies that use or manipulate personal information of anyone living in the EU, referred to as processors. Even if a company doesn’t store personal information themselves, they can be subject to GDPR just by having access to edit it. Once again, this applies to a company even if it is outside of the EU.
- An EU company that wants to send personal data to another company in the EU or not. This regulation is somewhat complicated. Essentially if you are a company in the EU and you want to send some personal information to a company in the US, it is up to you to ensure that the company you are sending to is compliant with GDPR.
What happens if a company doesn’t comply with GDPR and gets breached?
Every company gets one warning if breached or found negligent in an audit, but after that…Fines. Big, big fines.
- If a company is in group 1 or 2 and found to be non-compliant, they have to pay 10,000,000 EUR or 2% of their worldwide annual net revenue, whichever is higher!
- If a company is in group 3 and found to be non-compliant, they have to pay 20,000,000 EUR or 4% of their worldwide annual net revenue, whichever is higher!
Additionally, if a company is breached and personal data is compromised the company has to work with the supervisory authority of each EU country that had a resident affected. This means the company has to deal with up to 28 different authorities that must be informed within 72 hours. Plus, there are regulations that must be followed in regards to informing individuals.
How can Fornetix help?
Fornetix Key Orchestration is more than just a key manager to help with encryption. We allow a company to use technology to enforce the business policies and controls required to be setup by GDPR. With Key Orchestration, companies can organize all their systems in a policy-based hierarchy, ensuring that only encryption keys that comply with the latest standard and are compatible are used. Plus, all actions are audited and logged with Key Orchestration and easy sent to any SIEM product making it simple to perform audits on business’ use of encryption keys.
Key Orchestration is able to provide governance and help turn on encryption with many technologies already in most enterprises. Using the Key Management Interoperability Protocol (KMIP), Fornetix has already partnered with VMWare, Cray, HPE/Micro Focus, Oracle, and StorMagic just to name a few. Fornetix Key Orchestration is also one of the most interoperable key management servers in the world, supporting all published versions of the Key Management Interoperability Protocol (KMIP). Plus, Fornetix is actively working with OASIS to develop KMIP 2.0, keeping Fornetix at the cutting edge of encryption key management technology.
With the long-awaited GDPR Compliance deadline behind us, how are end users coping with the challenges that come along with the change? The recent spike in encryption adoption at the edge was an anticipated shift, and is already helping today’s IT architects meet a multitude of compliance requirements across the board. Join Fornetix and StorMagic for a 30 minute webcast where we’ll discuss the current state of the encryption landscape now that.