What is the GDPR?
The General Data Protection Regulation (GDPR), is a privacy law established by the European Parliament to increase security for the personally identifiable information (PII) of EU citizens. Its objective is to return control of personal data to individuals, and to facilitate international business by creating a standard for PII treatment across the EU. The regulation came into full effect on May 25th, 2018, and is serving as a model for similar privacy laws coming online elsewhere.
Some notable aspects and impacts of the law include:
- Mandatory appointment of Data Protection Officers for corporations that collect, process or store PII as core activities
- Notification of a supervisory authority after a breach of personal data (typically not more than 72 hours after the breach was realized)
- Encourages pseudonymization (rendering data anonymous or the subject unidentifiable) of personal data assets
- Supports the right to erasure ("right to be forgotten") from data collections / searches
- Provides for data portability so people can move their information from one provider to another, and rectification so their data can be corrected
Of these, "the concept of personally identifiable information [PII] lies at the core of the GDPR," writes the International Association of Privacy Professionals (IAPP). From the GDPR, IAPP specifically refers to Recital 75, which instructs controllers to "implement appropriate safeguards to prevent the 'unauthorized reversal of pseudonymization.'
To mitigate the risk of data breaches and non-compliance, data "controllers should have in place appropriate technical (e.g., encryption, hashing, or tokenization) and organizational (e.g., agreements, policies, privacy by design) measures separating pseudonymous data from an identification key."
Proven Data Protection
With these new regulations, it is not only a good idea to protect PII, but it is required by law. The penalties for non-compliance are severe: up to €20,000,000 or 4% of the previous year's worldwide turnover, whichever is greater. Proactive compliance with the law will help protect the data, and proof of that compliance can provide a buffer against sanctions.
For the GDPR, as with other data privacy laws worldwide, it is important to have a powerful and extensible technology to protect PII. Proven PII discovery and de-identification software in the award-winning:
- IRI Data Protector Suite, which includes three static data masking (SDM) products -- called IRI FieldShield, DarkShield, and CellShield -- for finding, classifying, extracting, erasing, and otherwise anonymizing (or repairing) PII in structured and unstructured sources through multiple functions like pseudonymization, deletion, encryption, and redaction, plus the ability to deliver data [via search of the above] to comply with portability and rectification requirements, and score re-identification risk and anonymize quasi-identifiers to comply with Article 29 provisions.
- IRI Voracity data management and governance platform, which bundles all three SDM (shield) products above with data integration, migration, cleansing, reporting, and analytics ...
deliver the rule- and role-based data-centric audit and protection capabilities you need to achieve and prove compliance with the most critical GDPR provisions.
PII discovery and masking capabilities in IRI software work across any database and legacy / document file format -- as well as images and faces -- on premise or in the cloud. Affordable licensing, implementation, and support services are available from authorized IRI representatives throughout the EU and beyond.
- Related Products
- IRI FieldShield
- IRI DarkShield
- IRI CellShield
- IRI Voracity
- IRI RowGen
- Blog Articles
- How to Support the Right to Be Forgotten in IRI Data Masking Tools
- Nullifying Data Breaches
- Generalize Valuable Traits to Reduce Risk
- Format-Preserving Encryption
- What Is Pseudonymization?
- Masking PII in MongoDB