Under the GDPR, organizations must take appropriate measures to protect personal data from unauthorized access, use, disclosure, or destruction. One of the measures that organizations can take is to use encryption and other cryptographic techniques to protect personal data.
What are the GDPR requirements for encryption?
The General Data Protection Regulation (GDPR) is a set of regulations that was introduced in the European Union to protect the personal data of EU citizens. It applies to any organization that processes or stores personal data of EU citizens, regardless of where the organization is located.
The GDPR does not explicitly require the use of encryption to protect personal data, but it does state that data controllers and processors must implement appropriate technological and organizational measures to secure personal data. Encryption is one such measure that can help businesses meet their GDPR compliance objectives. Encryption is the best way to protect data, provided it's used as part of a secure system. Encryption technology is widely available and relatively inexpensive, making it an accessible option for businesses of all sizes.
Encryption works by scrambling data into an unreadable format using a mathematical algorithm. This means that even if someone were to gain access to the encrypted data, they would not be able to make sense of it without the correct decryption key. As such, encryption provides an extra layer of security for sensitive information and can help organizations comply with the GDPR’s requirements for protecting personal data. It is important to note that encryption alone is not enough; organizations should also have other security measures in place and regular vulnerability scans in order to ensure maximum protection of their customers' data.
There are two types of encryption commonly used today: symmetric and asymmetric encryption. With symmetric encryption, the same key is used for both the encryption and decryption processes. Therefore, it is important to ensure the key is securely transmitted to those who need it in order for the data to remain secure. In contrast, asymmetric encryption involves different keys being used for encrypting and decrypting data. Asymmetric encryption algorithms may be computationally more expensive and therefore slower in operation thus limiting its practical application.
Cryptographic hashing can also provide some level of security, but it should not be confused with encryption as hashing does not necessarily involve key sharing or enable data to be reversed back into its original form as encryption does. Hashing functions instead create irreversibly fixed-length strings from variable length inputs which makes them useful for verifying that a file has not been altered during transfer or storage operations. This process projects the input message against potential malicious alterations while retaining a compact digital representation of its authenticity.
How to implement encryption for GDPR compliance?
When implementing encryption, organizations must consider a number of factors such as the selection of encryption algorithms and key size, as well as the encryption software that enables encryption and decryption of a data stream at rest or in transit. The key size should be sufficiently large to ensure that it cannot be easily guessed or broken by attackers. Additionally, organizations must also ensure that the keys used for encryption are securely stored and managed.
Organizations should consider using encryption for any data processing activities involving personal data. This includes activities such as storing personal data on servers, transmitting personal data over networks, or even when sharing personal data with third parties. By taking these steps, organizations can ensure they are compliant with GDPR regulations and protect their customers’ sensitive information.
Assess which data falls under the GDPR
Businesses need to determine which personal data they store, process, or transmit. This includes understanding which data is subject to the GDPR, where this data is stored, and what security measures are in place for its protection. Companies should be aware that not knowing about the existence of personal data does not excuse them from compliance responsibilities; they can incur GDPR penalties due to lack of proper safeguards on information they were unaware was personal in nature.
A Data Protection Impact Assessment (DPIA) can assist companies in finding out if encryption is suitable for their information. A DPIA evaluates the type of data processed by a business, the related hazards, and the steps which can be taken to decrease that hazard. This includes deciding if encryption is essential to shield private information from unapproved access. By doing a DPIA, businesses can guarantee they are following GDPR and correctly guarding their customers' confidential data.
Develop GDPR Encryption Policies
Organizations should create detailed encryption policies to define how and when data should be encrypted in order to prevent errors from being caused by ad-hoc or inconsistent implementation. Encryption policies provide two major advantages: security and adherence to regulations.
By having a solid foundation of processes, organizations can create consistent GDPR encryption practices to reach their compliance goals while still meeting the various needs of different systems and data types.
Encryption, GDPR, and Data in Transit
Data in transit refers to when said data is transferred between systems or elements of a system. For example, such data could be information submitted by an individual in a web browser or data sent to an outside processor by a business. Data in motion is especially vulnerable as it goes across open networks outside the boundaries of the data controller or processor. Typical encryption practices to shield data en route include virtual private networks (VPNs) or HTTPS cryptography utilizing TLS certificates.
Organizations should use encryption for data in transit when sending personal data to third parties. This can help to protect the privacy and security of individuals’ personal information by making it unreadable to anyone who does not have access to the correct decryption key. By taking these steps, organizations can ensure they are compliant with GDPR regulations and protect their customers’ sensitive information.
Encryption, GDPR, and Data At Rest
Data at rest is seen as less risky than data in transit as security mechanisms should be in place to prevent attackers from accessing internal storage systems. But attackers can still access unencrypted data through software vulnerabilities, insider threats, and phishing attacks. Encryption at rest with securely managed keys makes stolen data useless. It's a part of a layered approach to GDPR compliance and data protection.
Organizations typically store backups on physical media such as tape or disc, and relocate them to secure locations. To protect data privacy, encryption is commonly used to safeguard against unauthorized access. Proper encryption key management is necessary to ensure future accessibility of the data.
An organization can use a cloud-based service for offsite backup or data storage. The data is sent over the internet and stored on a third-party cloud provider's remote server. If a secure transfer protocol (e.g. TLS) is used, data cannot be compromised in transit. However, it's important to note that without additional encryption, data will only be encrypted during transit and stored on the cloud provider's system in the same format as on your own.
One method to mitigate risks is to encrypt data prior to transmission and securely store the encryption key to prevent unauthorized access by cloud providers or third parties.
Five data encryption best practices under GDPR
To enhance data security and limit risks of data breaches, it is recommended to follow these five best practices for data encryption.
- Use encryption for all personal and sensitive data.
- Maintain the protection of encryption and decryption keys with a secure key management system.
- Maintain privacy and security of data both while at rest and during transit.
- Have measures in place to recover files and encryption keys in case of a security breach.
- Ensure that the encryption of data does not impact the functionality, accessibility, or performance of the business.
To apply such practices, organizations need to create and implement effective encryption policies and procedures. They should have a secure key management system in place that controls access to encryption keys and ensures that their security requirements are met. Encryption policies should also include provisions for backing up encrypted data in case the original data is lost or destroyed. Additionally, all staff members who have access to sensitive information should be trained on proper encryption procedures and key management.
Encryption is a technique that can be useful for achieving GDPR compliance. While it's not mandatory, it can enhance data security by converting information into a non-readable format that only authorized parties can access. Implementing a GDPR data encryption strategy can prove advantageous for organizations, particularly in preventing data breaches.
Data encryption is an essential component of an organization's data security strategy, regardless of which regulation applies. By implementing encryption, an organization can avoid data breaches and expensive fines, which may exceed the cost of implementing encryption.
Cryptomathic has more than 35 years' experience of helping multinational organizations protect their data with encryption and key management. Download our white paper on selecting the right key management system or contact us to discuss your requirements.