ENISA Guidelines Endorsed Pseudonymisation Even Before GDPR

The formation of the European General Data Protection Regulation (GDPR) signified a watershed moment for European citizens, and data processing. This regulation has come to define the way in which data is to be handled by organisations, removing uncertainty or misunderstanding as to what is to be expected when data protection is concerned. In an economy increasingly based on the processing of data, and in particular, personal data, GDPR has become an essential framework in the two years since it was established to ensure that individuals have better control over their personal data and that this data is processed for a legitimate purpose, in a lawful, fair and transparent way. Moreover, with personal data a prime target for cybercriminals who want to steal valuable information for their own monetary gain, protecting data has become a significant motive for modern enterprises wanting to avoid being the next victim of data theft, and fall foul of non-compliance.

With that said, data breaches are not a new phenomenon and before the formation of GDPR, the European Union Agency for Network and Information Security (ENISA) regularly provided resources, guidelines and information on how organisations can avoid such a catastrophe. While the advice provided has of course developed, in no small part due to the current reliance on digital technology, the guidance provided by ENISA all those years ago still holds true. In fact, following the stipulations outlined by ENISA will prove beneficial when considering the more recent concepts of IoT, big data analytics, and social media where data gathering has become more prominent and profitable.

Therefore, in order to mitigate the negative connotations that occur when one suffers a data breach, businesses have begun to deploy a number of controls, solutions and technologies that will reduce the likelihood of data being exploited by nefarious attackers, while still providing analytical insight, and contribute to the cultivated success and trust between businesses and their clients.

Yet, there is one capability that cannot be overlooked: pseudonymisation. ENISA has highly touted this form of data protection. But why? With pseudonymisation technology, organisations will have the capability to cover multiple cross-regulatory requirements and provide a security solution that not only meets regulatory frameworks, but also allows the facilitation and analytics of sensitive data.

9b0ce06d-d5a8-4607-8ae8-10745939d9b3

Leveraging pseudonymisation

By leveraging pseudonymisation, sensitive data can be de-identified in a manner that personal data can no longer be attributed to a specific data subject or person without the use of additional information. Prominent pseudonymisation techniques include tokenization which removes key identifiers to hide the identity of the data subjects from any third party, and can be used to mask IP addresses, email addresses, financial information, biographical data and analysis. The method works by substituting a sensitive data element with a non-sensitive equivalent.

This security solution is growing in demand because GDPR reinforces the concept of the need for data security (article 32 of GDPR) and, in the context of data protection by design (article 25 of GDPR). However, these teachings were foretold by ENISA in 2013, so it can be argued that had more enterprises followed these guidelines, they would have laid a strong foundation for the implementation of GDPR which soon followed. When it comes to moving or using data, if you leave it unprotected, expect to lose it so ensure that data at its earliest point is always protected and kept private!


*** This is a Security Bloggers Network syndicated blog from comforte Insights authored by Thomas Stoesser. Read the original post at: https://insights.comforte.com/enisa-guidelines-endorsed-pseudonymisation-even-before-gdpr