Today’s culture of interconnected data has paved the way for stunning leaps in operational efficiency. As a result, data protection has become one of the most critical components to managing an organization’s workforce and customers. Let’s explore the role of a Virtual Private Network (VPN) in ensuring compliance with the myriad of data protection laws.
The EU’s GDPR was a trailblazer for data protection: in 2016, it cemented a stringent overarching demand for all European organizations to take every “appropriate technical measure” in keeping personal data protected. To remain compliant, you need to build an analysis of what data is being collected, the risks facing it, and what processes and tooling can protect it.
Many countries took the overarching framework and approach used by GDPR and modified it to better fit their own geopolitical contexts. Following Brexit, the UK opted for a Ctrl+C and Ctrl+V shortcut, rapidly re-implementing the same principles.
Across the other side of the world, other countries had already begun similar efforts: India’s Personal Data Protection took the GDPR’s framework and added some further contextual tweaks. One of these was a 2017 ruling around Aadhaar data. As a platform, Aadhaar provides large swathes of the country’s biometric identification services. In 2017, however, India’s supreme court ruled that the collection and use of Aadhaar numbers is unconstitutional – further cementing privacy as a human right.
Unlike the rest of the world, the US has a far more fragmented and lax approach to data protection. Compliance laws operate on a state-by-state and industry-by-industry basis, making it vastly more complex to navigate. Consider HIPAA: drafted in 1996, it now dictates that healthcare entities cannot use or share health information without the individual’s written consent.
However, it’s limited only to the companies directly labeled as healthcare providers: any healthcare info shared online or with a nutrition app is not covered. In a similar way, the Gramm-Leach Bliley Act (GLBA) requires covered financial institutions to collect only relevant data, and explain precisely what and why they’re collecting it, while also safeguarding it internally.
But US data regulations are slowly changing: California’s Consumer Privacy Act grants consumers the right to be informed about the personal information a business collects, alongside what organizations are buying and selling this data. It further grants consumers the right to delete personal information being collected by the business, and, from 2023, the California Privacy Rights Act (CPRA) has further solidified privacy as a personal right.
As data protection laws become more stringent, it’s vital to keep an eye on the companies that have fallen foul of the law – and how you can learn from the failures they made. The Tesla files are one such example, with the personal information of over 75,000 current and former employees being leaked by malicious ex-employees.
With no monitoring mechanisms protecting this data, 100GB of it was free to be leaked to German publication Handelsblatt.
Alongside handling identity theft-monitoring software to all affected employees, Tesla could face a multi-billion-dollar GDPR fine. For now, it’s embroiled in lengthy lawsuits with the two employees that allegedly leaked the documents – and the ensuing media embarrassment of having employee data and customer support documents leaked.
A VPN connection takes place over a VPN tunnel – this is an encrypted connection between the user and their DNS server; session data is decrypted by the local client.
By connecting a VPN to your company’s network and database, employees are able to make use of this VPN tunnel for access. For an in-depth overview of how enterprise VPNs work, see here. For simplicity, let’s focus on how VPNs aid adherence to the most stringent of data protection laws: GDPR.
Two protocols are explicitly named by GDPR:
In Article 4(5) of the GDPR, pseudonymization is defined as the process of replacing the name of a data subject. A key is then issued to an authorized party when they need to access the de-pseudonymized data.
A VPN offers this pseudonymization to employees’ IP addresses: when employees connect to the internet through an enterprise VPN, their devices’ real IP addresses are masked. Instead of appearing with their own IP, they are seen with the IP address of the VPN server.
This means external websites and services cannot trace activities back to individual users within the organization, offering a layer of anonymity.
While a VPN disguises the external presence of users, it still maintains robust internal authentication and access controls. This means that within internal systems, users are identified and managed based on their credentials, but to the outside world, their activities remain pseudonymized.
While a VPN offers pseudonymized IP addresses, a key component of data protection laws is protection while in transit. VPNs maintain secure data transference through encryption, which scrambles messages into unreadable formats. To decrypt these messages, a key – typically an algorithm or cipher – is required.
When you connect to the internet through a VPN, your connection is encrypted at the start of the tunnel and decrypted at the VPN server before being sent to the website you are visiting. This process ensures that the website sees only the VPN server’s IP address, while your ISP – and any potential packet sniffer or Man in the Middle attacker – only detects a stream of scrambled data.
Some important context behind data protection requirements is the GDPR’s idea of data localization. When transferring data between countries, Schrems II regulations heavily restrict third-country data transfers that don’t have appropriate protection levels.
Companies are therefore pushed to build more regional infrastructure.
In the Middle East, localization rules demand that companies establish IT infrastructures within specific countries. Similarly, global companies operating in China are creating IT architectures that isolate their Chinese operations.
This necessity arises in part because the Chinese government mandates VPNs to provide government backdoor access, making them insecure for use in other countries.
As a tool, enterprise VPNs are well-positioned to handle increasing localization: by routing traffic through the database’s respective local server, it’s possible for US-based talent to be subject to the same data protection protocols as their colleagues when accessing GDPR-covered data.
However, it’s vital that your VPN of choice fits the specific demands of a country’s regulations.
VPNs’ ability to act as a point of access further makes them ideal for implementing more stringent access controls. For instance, marketing data can be protected with one VPN, while financial databases are accessed – and therefore protected – by another. This network segmentation lets you control and manage access, ensuring that only authorized employees can access the data and that it’s transmitted securely.
First, determine whether you need a site-to-site VPN or a remote-access one. The former grants VPN access between corporate networks at different sites, while the latter allows anyone with a local VPN client to connect to their respective areas of the corporate network.
A key aspect is consolidation: rather than having many different VPN services, tools such as Perimeter81 grant employee access to private servers via group-based user roles. Accessible through one primary dashboard, it becomes possible to monitor access organization-wide, while keeping network access segmented.
To ensure adequate access controls, your VPN endpoints should include suitable timeouts and Multi-Factor Authentication. Your VPN should also come with a kill switch that blocks outgoing connection in the event of a secure connection failure. With Perimeter 81, go even further: identify what personal data is covered by GDPR demands, see where it’s located, and secure it. Learn more with a free demo.