The General Data Protection Regulation (GDPR) is a European Union law that governs personal data. It’s also one of the most important pieces of global data legislation. The E.U. is the largest trading bloc in the world, and any company doing business in it must abide by the GDPR’s data collection, protection, and processing rules. The punishment for failing to do so can run into tens of millions, such as when Google was fined $57 million for not clearly notifying consumers what data usage they were giving consent to.
Why data segregation is important for GDPR compliance
The GDPR makes it clear that a data controller or processor must “implement appropriate technical and organizational measures… to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services” with particular attention to the risks that processing creates for the “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”
It is clearly incumbent on the owner or processor of the data to ensure its protection. But, unfortunately, many business functions create the possibility for data to be lost, stolen, or put in the hands of people or organizations that are not entitled to it.
One of the best ways to ensure compliance throughout these processes is by properly segregating data. Data segregation allows for the creation of separate access rules for sets of data or different groups of users, ensuring that only those who are authorized can view, access, remove, or alter the data. By maintaining access controls and data governance policies over specific datasets, GDPR data segregation instructions can be adhered to and personal data protected.
When does GDPR data segregation need to happen
Data is essential to nearly all modern businesses. It can help identify efficiencies that can reduce costs, monitor trends to improve customer experience, or provide valuable insights for new products. With the vast amounts of data that companies collect, store, and analyze, effective custody policies need to be implemented. One aspect of any data custody policy is compliance, such as with the GDPR.
Data segregation should be an integral part of such compliance-focused activities. It allows owners and processors to maintain clear partitions between datasets or specific types of data, to which different access and usage policies can then be applied.
As part of compliance efforts with GDPR, data segregation can be deployed for the business functions most at risk of breaking GDPR rules, such as:
- Data storage: Segregating different types of data while it is being stored, either physically or logically, can prevent unnecessary leakage or improper access. For example, a sales department might work with more third-party contractors than accounting. If their data is stored together, the accounting department might be unaware that its data is at risk of being shared or of the steps they need to take to ensure stricter access control.
- Data transfer: Various functions will share data between them as part of normal business activity. This creates situations where it is not always clear where data is stored or how many people have access to it. To ensure compliance with GDPR, data segregation can be used in tandem with a virtualized data layer, so data never needs to be transferred.
- Third-party analysis: Most organizations engage third-party data analysis firms to help them gain insights into their data. This necessitates outside access to datasets and can create risks for lost, stolen, or improperly used data. In terms of GDPR, data segregation can create strict boundaries around what is being sent to be analyzed, reducing the risk of leakage.
- Collaboration: When sharing data with other organizations, there is always a risk of GDPR data segregation and protection regulations being breached. Combining datasets and insights can lead to productive synergies and improved outcomes, and data segregation can limit how much data is exposed to outside parties.
How to successfully segregate data to comply with GDPR
There are two methods for segregating data: physically or logically. The former involves physically disconnecting a server from the rest of the network, while the latter introduces partitions that divide datasets into distinct entities based on variable characteristics. Logical segregation is the most common, and the segregated datasets are easier to apply specific access controls and policies to.
Data segregation can also apply to the specific users of data, such as different teams, projects, or collaborators. With tighter controls over how (and which) data can be accessed and used, it becomes easier to comply with the GDPR’s expectations on data security and integrity.
Intertrust: Making GDPR data segregation work
An enterprise data platform, such as Intertrust Platform, delivers multiple solutions that make data segregation and GDPR compliance easier. By creating a virtualized data layer, data can be accessed and queried inside the platform without ever having to be transferred to a different location for processing. Intertrust Platform also helps compliance and segregation via the enforcement of fine-grained access controls over all datasets.
Collaboration and usage of third-party analytics are also securely facilitated as only the necessary data for a specific use is brought together in segregated containers which then form a trusted execution environment for all parties, without the risk that other data may be shared inadvertently.
About Abhishek Prabhakar
Abhishek Prabhakar is a Senior Manager ( Marketing Strategy and Product Planning ) at Intertrust Technologies Corporation, and is primarily involved in the global product marketing and planning function for The Intertrust Platform. He has extensive experience in the field of new age enterprise transformation technologies and is actively involved in market research and strategic partnerships in the field.