The General Data Protection Regulation (GDPR), a new regulation recently adopted by the European Commission, has ruffled many feathers. Its most striking aspect has been the concept of data centricity that it has formalized and embedded into EU law.
Data-centricity is at the heart of the GDPR. The GDPR stipulates that data should be kept private and secure wherever it goes. All copies of all personal data should be secured and monitored at all times and all locations. Making data security truly data centric will be a huge challenge for organizations.
Complying with GDPR in a Flat World
Currently, organizations tend to focus almost solely on data inside their corporate boundaries. However, numerous EU organizations already have outsourced operations to non-EU countries or have subsidiaries in them. A lot of Personally Identifiable Information or PII (“personal data”) is also sent outside corporate borders to vendors, partners, and consultants. Securing this data often tends to be deprioritized. With tremendous outsourcing and extended supply chains today, that will soon need to change – not least because of GDPR.
For example, a piece of data will typically be governed by one policy inside an application, by another policy on the desktop, yet another policy on a file server, yet another on the vendor’s inbox, yet another on the vendor’s file server, and so on. So the question is: how can organizations ensure that they can control their information wherever it goes – with the same federated data-centric policy applicable to it everywhere, at all times?
How can Data-centric Security Help?
The premise of data-centric security is simple: that data security should be focused on the data itself – and nothing else. Not the format. Not the storage mechanism. Not the transmission medium. Not the application or device accessing the data…and so on.
Think of it like A Firewall Around the File Itself.
Further, granular usage controls can also be applied on individual files. Data Controllers can control who can access the information, what they can do with it – such as editing, printing, copying content, taking screen captures etc. – at what time, and using what device. These controls are persistent and can be changed remotely without physical access to the actual document.
Thus, all personal data that the data controller sends to a data processor (or its own subsidiary) anywhere in the world can be secured and its usage fully monitored with EDRM. EDRM technology represents the only way organizations in the EU can fully comply with the letter and spirit of data-centric security and governance enshrined in the GDPR.