Expert Advice: Data Protection for GDPR and Schrems II Compliance

Ben Franklin is credited with saying, “In this world, nothing is certain except death and taxes.” Were he alive today, he might have added “...and the need for data privacy and compliance.”

Regulations facing CISOs, engineers, and risk mitigation experts — including the top European data protection regulation, GDPR/Schrems II — are becoming more numerous and restrictive. In a recent webinar, Julian Weinberger, Senior Security Engineer at ShardSecure, and Douglas Grote, Strategic Alliance Manager at Entrust, reviewed five steps to maintain a robust and scalable data protection strategy that addresses both unstructured and structured data. The 30-minute session culminated with a look at how frictionless integration between our complementary data protection technologies helps customers achieve compliance in an evolving regulatory environment.

1.    Know your data

Different data has different structures and requires different risk mitigation strategies, so it’s important to know what data you have. Structured data is typically organized and formatted in tables and columns, is quantitative in nature, and is ordinarily found in data warehouses and relational databases. Unstructured data, on the other hand, exists in diverse forms including large collections of text and non-text files, is qualitative in nature, and is found in file storage, backups, data lakes, non-relational databases, and logs. Both types of data experience constant growth, with structured data typically growing by a rate of 10-15% per year and unstructured data growing at about 60% year. This exponential growth introduces additional hurdles and requires dedicated data security strategies.

2. Protect your data

Entrust and ShardSecure work in concert to protect both unstructured and structured data. Entrust secures structured data in databases with encryption and secure key generation and management. Meanwhile, ShardSecure protects unstructured data and provides data confidentiality, integrity, and availability with Microshard™ technology. In ShardSecure’s innovative approach, each storage location of microsharded data only contains an unintelligible fraction of the complete data set — so even if a location is compromised, the data will be of no value to an unauthorized user. ShardSecure’s self-healing data also reconstructs data impacted by storage provider outages and unauthorized modifications, including those caused by ransomware and other attacks.

3. Protect your keys

Many data protection methods still rely on keys that must be properly generated, stored, and controlled, with key management especially important under Schrems II. Entrust provides secure key lifecycle management as well as external key management so you can export your keys securely into other systems or bring your own key to cloud infrastructure. Entrust’s  hardware security module (HSM) and its advanced key management features allow companies to secure their critical data from both external and internal threats.

4.    Understand Schrems II 

Schrems II is a 2020 legal case with major implications for data protection and key management under the EU’s GDPR. The partnership between ShardSecure and Entrust addresses requirements for European data processing under the GDPR, which has become increasingly challenging for organizations with data centers spread across multiple geographic locations and providers. ShardSecure’s Microshard technology and Entrust’s HSM provide data owners the flexibility and control to address Schrems II requirements around the distribution and protection of data across jurisdictions.

5.    Add additional layers of defense 

Lastly, the ShardSecure and Entrust partnership enables additional data control by putting robust cryptography at the core of security requirements. Additionally, ShardSecure uses the secure key generation and management of Entrust’s nShield HSM to protect the underpinning root of trust, or keys, for ShardSecure processes. This partnership ensures that unstructured data in cloud environments is well protected against outages, attacks, and other forms of data compromise and makes it easier for organizations to comply with multiple data privacy regulations.

This was a brief overview of the key steps for a comprehensive cross-border data protection strategy. For more details, watch the full session: GDPR/Schrems II Compliance: 5 Steps to Successfully Protect Your Sensitive Data.