GDPR Data Compliance
As organisations prepare for the new European Union (EU) General Data Protection Regulations (GDPR) which has to be fully implemented by May 2018, careful consideration has to be given to the approach and design of processors and systems to meet this GDPR compliance for the treatment of PII (Personal Identifiable Information) and sensitive PII data, transmitted, stored and processed by third party Data Processors such as the providers of cloud SaaS applications. There is much confusion around the roles and responsibilities and the obligations for meeting GDPR compliance when using Data Processor services regarding the protection of PII and sensitive PII data and the location of the service. It should be clear from the outset that the Data Controller (enterprise) does not alleviate its GDPR responsibilities just because it leverages the services of third party Data Processors (cloud SaaS providers). The Data Controller is fully responsibility for the scope of GDPR and for the protection of Data Subject’s PII and sensitive PII data.
The eperi Gateway is the CDP (Cloud Data Protection) solution that uses encryption and tokenisation data obfuscation methods to render PII and sensitive, confidential PII data unreadable for external users in Data Processor cloud SaaS applications such as Office 365, Salesforce, ServiceNow, Microsoft Dynamics and other SaaS applications, by encrypting and tokenising PII and sensitive PII data before it leaves the control of the Data Controller (the enterprise) whilst still leveraging the full benefits and functionality of these powerful Data Processor cloud SaaS applications.
eperi leverages the principles of GDPR specifications for ‘Centralisation’ and ‘Privacy by Design’ to configure a point of control in its Data Controller’s (enterprise) architecture to monitor data traffic going to third party Data Processors (cloud SaaS applications). When PII and sensitive PII data fields are detected en route to the SaaS application, the eperi Gateway CDP solution, leveraging industry standard AES-256 encryption, applies data protection policy to sensitive data to render the sensitive data anonymised and pseudonymised. The encryption keys are ALWAYS and FULLY controlled by the Data Controller (the enterprise). By doing so the Data Controller reduces the scope and boundary for GDPR compliance and becomes compliant for GDRP in the treatment of PII and sensitive PII data when leveraging third party Data Processors for Data in Transit, Data at Rest and Data in Use.
The eperi CDP solutions must not be confused with more simple DLP (Data Loss Prevention) solutions that may detect some PII data like credit card numbers etc. within the enterprise and then blocks the data from leaving the enterprise. This blocking action typically breaks the business process and functionality of the cloud SaaS application, causing disruption and additional overheads.
The eperi CDP solutions must not be confused with ‘Encryption at Rest’ solutions offered by Data Processors as these are only ‘Encryption at Rest’ solutions and in most cases the Data Processor controls all or part of the encryption keys.
The eperi Gateway is fully integrated into to the companies’ infrastructure and at a granular level sets data protection policies for structured and un-structured data. Unlike DLP solutions, the eperi CDP solution does not block the sensitive data and therefore does not break the business process and functionality of the SaaS application. The eperi CDP solution seamlessly encrypts the sensitive data and still maintains the full functionality of the SaaS such as searching, sorting and reporting.