Introduction to Data Privacy Legislation
As cyber-attacks and data security breaches become more frequent in today’s digital landscape, multiple countries are seeking to install more stringent regulations for organizations that handle sensitive customer data from each region. This legislation affects all organizations that collect any form of sensitive data including names, addresses, browsing histories, and anything else that could potentially be used to identify or discriminate against a customer. In this blog post, we’ll provide a high-level overview of the common standards to which each new legislation will hold organizations conducting business in their region, as well as what steps organizations can take to become compliant, using GDPR and LGPD as examples. For more blog posts and information about data privacy, visit the Futurex website or request to download our Data Privacy Legislation Whitepaper here.
What is GDPR?
GDPR stands for the General Data Protection Regulation, and it applies to all organizations that reside in or do business with the European Union.
What is LGPD?
LGPD, translated from Portuguese, stands for the General Data Protection Law, and it applies to all organizations that reside in or do business with Brazil.
What are the main elements these laws have in common?
The GDPR and the LGPD are very similar in terms of the subjects and regulations they cover. Both documents place an emphasis on data privacy and data subject rights, with a secondary focus on data security. In terms of data privacy, the documents focus on changes such as granting subjects the ability to request that their data be removed from any database, and mandating that organizations collecting data must allow subjects to “opt-in” to collection, as well as clearly communicate with subjects when a data breach occurs.
However, when it comes to data security policies, the laws are more vague. They specify that organizations have new data security responsibilities and that there are serious consequences (such as large fines of up to 4% of a company’s global revenue) for breaching them, but they are less specific about what such responsibilities entail. For example, the LGPD outlines a “principle of accountability” for organizations, which states that “both data controller and data processor should take appropriate technical, security, and administrative measures to protect personal data. The data protection authority may provide for minimum technical standards, considering the nature of the data handled, the specific characteristics of the treatment, and the current state of the technology.” The GDPR states that organizations must follow the principle of “privacy by design,” which states that organizations “shall implement appropriate technical and organizational measures… in an effective way… in order to meet the requirements of this Regulation and protect the rights of data subjects.”
A natural question arises from reading these mandates. What constitutes “appropriate technical measures”? If it’s essentially up to organizations to show that they performed their due diligence in protecting customer data, how exactly should they do that? When it comes to organizations within the EU, many turned to encryption and hardware security modules (HSMs) to protect their customers’ sensitive data. Brazilian organizations will likely need to do the same in the coming months.
How can organizations ensure compliance?
The best way to ensure that organizations that handle sensitive data are in compliance with new legislation is to integrate strong cryptography and key management backed by HSMs into their existing data infrastructure via database platforms. (For more on what HSMs are, view our informational page here.) While legislation does not prescribe a specific security solution or validation level, it is generally accepted that FIPS-validated appliances, such as HSMs using cryptographic libraries including PKCS #11 and KMIP, are sufficient to offload crypto and key management processes in order to meet legislation requirements. The good news here is that implementing this cryptographic solution will cause minimal to no disruption to an organization’s current infrastructure and day-to-day processes.
What are the next steps for organizations?
So how should organizations proceed with integrating their databases? It is in their best interest to perform an audit of their current organizational infrastructure, locate the database platform(s) in which they store sensitive data, and use a cryptographic library to integrate each new platform with an HSM. Organizations should seek a trusted provider of hardware security solutions to fulfill their cryptographic needs.
If organizations follow these steps, they should be well on their way to demonstrating having done their due diligence towards a comprehensive data security infrastructure and compliance with new regulations.
To learn more about complying with data privacy legislation worldwide, request to download our whitepaper here. For questions regarding regulatory compliance, hardware security modules, or application integration, feel free to reach out to a Futurex Solutions Architect at any time.