Governance & Compliance

What the General Data Protection Regulation (GDPR) Means for Enterprises

The EU Parliament recently approved the General Data Protection Regulation (GDPR), which has significant implications for enterprises in both Europe and the rest of the world.

The GDPR will drive increased adoption of data security practices, such as strong encryption, and require businesses to implement technical and organizational measures to ensure adequate protection of personally identifiable information (PII).

The GDPR specifies best practices for these measures, which must include:

  • Tokenization and encryption
  • Resilience and availability of systems and services processing PII data
  • Business continuity (BC) and disaster recovery (DR) planning to restore availability in response to a breach or disruption
  • Frequent pen-testing and auditing of technical and organizational controls to ensure adequate security safeguards

The regulation also introduces mandatory notification requirements in the event of a data breach. Both the relevant data protection authority and any subject individuals or organizations affected by the breach must be notified. This "name and shame" approach has an important caveat: if the compromised data was obfuscated via strong encryption, notification is notrequired.

The final leg of the GDPR is a significant ramp up in penalties and fines assessed against businesses that fail to comply with the new requirements. Specifically, non-compliant organizations are subject to fines of up to 10,000,000 EUR or 2% (up to 4% in egregious cases) of annual worldwide turnover.

With the GDPR, the EU Parliament is making a clear statement on the importance of improved data security and protection standards. The new regulations will help standardize and improve best-practice across enterprises operating in the EU, with strong encryption being of paramount importance.

NuCypher provides a range of security and encryption products for Big Data that can easily be deployed to bring your organization into compliance with the GDPR. This includes a cryptographically-enforced access control system for Hadoop, that allows you to set policies around who can access your data and where they can do so. Visit to learn more.