Much has already been written about EU General Data Protection Regulation (GDPR), which comes into force on 25th May 2018 to protect EU citizens’ personal data. It applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location. Unlike EU Directives, GDPR does not require national legislation to enact its provisions, so organizations not in compliance may face fines of up to 4% of annual global turnover or €20 Million (whichever is greater) from day one. The scope of the Regulation is broad, so this article will focus on the important role of encryption and particularly key management in aiding compliance. But first, let’s understand some key concepts and terminology:
'personal data' means any information relating to an identified or identifiable natural person (‘data subject’) [i.e. anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address];
'controller' means a person or organization that, alone or jointly with others, determines the purposes, conditions and means of the processing of personal data;
'processor' means a person or organization that processes personal data on behalf of the controller;
'pseudonymization' means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information;
'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
GDPR requires that organizations assess privacy and security risks and demonstrate that they’re taking appropriate steps as a result of their findings. Specifically, to perform the necessary due diligence and mitigate risks, organizations must:
Unfortunately, as we have seen time and time again in the press, companies’ perimeter security can be breached. Current cyber security wisdom is that such breaches cannot be entirely prevented; however, mitigations can be put in place to reduce the impact of such breaches and to detect and respond to them quickly. Encryption is a well-understood method to protect data, both at rest and in transit, and the technology is now both ubiquitous, reliable and affordable. Implemented correctly, using reputable products, it can protect both the confidentiality and integrity of personal data, limiting access to those who are authorized to access it. GDPR recognizes the role that encryption can play in mitigating security risks, and specifically calls out encryption as an appropriate technical measure to ensure the security of personal data:
“In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.”
Whilst encryption is very effective at protecting personal data, it crucially depends on the security of the secret/private cryptographic key that allows the data to be decrypted again. Thus the problem of protecting personal data is reduced to the problem of protecting such keys from unauthorized access and use. For example, keys must never be stored in the same place as encrypted data. Good key management practices are therefore essential in the deployment of cryptography, which entails:
To achieve these things, sophisticated technical and procedural measures must be put in place. However, as every encryption device/application requires a key, the number of keys starts to grow quickly within an organization, and a manual approach to managing keys quickly becomes impractical and a security risk in itself. This is where a good key management system comes in – one that ensures the generation of high-quality cryptographic keys, protects their confidentiality, integrity and availability through their entire lifecycle, manages and enforces user-defined security policies, ensures keys are updated as necessary, and that provides a secure audit trail.
Under GDPR, breach notification is mandatory where a personal data breach is likely to “result in a risk for the rights and freedoms of individuals”; this must be done within 72 hours of first having become aware of the breach. However, if you can demonstrate that you have protected personal data adequately through the use of encryption and can prove the keys remain secure, the impact of a breach is minimized and the obligations are reduced:
“The communication to the data subject … shall not be required if … the controller has implemented appropriate technical and organizational protection measures, and that those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.”
Most organizations today are using the cloud for applications and/or data storage, if not for running large parts of their IT systems. It is very likely that personal data will be held in the cloud, and must therefore be encrypted. However, if you leave encryption to the cloud provider, or if they have access to the encryption key, they become a data processor and must be included within the scope of your compliance audits. While you may trust the security of the cloud provider, and there will likely be some contractual liability, you cannot relinquish responsibility for the data’s security; if there is a breach, regardless who is at fault, your company will be subject to fines and public breach disclosure. If you do not control the encryption key yourself, you cannot assume any leaked data is safe.
This suggests that the encryption and decryption operations should be carried out locally rather than in the cloud, so that the keys are not exposed outside the company. In this way, outsourced bulk storage of data in the cloud is both practical and safe. However, where this is not possible (e.g. where the data is to be processed in the cloud and cannot be pseudonymized), organizations should aim to manage their own keys and securely upload them to the cloud. Where possible, they should make use of cloud-based hardware security modules (HSMs) to store the keys (which makes the keys inaccessible to any attacker), rather than relying on keys generated by the cloud provider and stored on their servers.
GDPR gives EU citizens sweeping new rights to how their data is held and managed, which puts a massive onus on organizations to protect the data. Whilst this can be minimized by reducing the amount of data collected and held or by pseudonymizing the data, there will still be a need to protect data at some or all points of its lifecycle. Encryption is thus a valuable tool and should be used to protect the confidentiality and integrity of personal data in transit and at rest. However, encryption is only as good as the key management that lies behind it. Manual key management processes are unlikely to give sufficient assurance for compliance audits and do not scale well. A proven commercial key management system is therefore a “must-have” to keep full control of keys (and thus the personal data encrypted with the keys) and to demonstrate best practice for the purposes of audit and compliance.
Cryptomathic is a market-leader in key management systems that are used by large enterprises around the world. Its Crypto Key Management System (CKMS) empowers administrators to centrally manage the lifecycle of all cryptographic keys across a range of applications and encryption platforms. Based on industry standards, CKMS ensures compliance and simplifies internal and external audits. The latest version of CKMS introduces Bring Your Own Key (BYOK) support for cloud services such as Amazon Web Services (AWS) and Google Cloud Platform.