The General Data Protection Regulation (GDPR) imposes security and privacy regulations that apply to businesses that store or process European Union residents’ personal data. It enacts a broad range of measures to give data subjects control over their data and protect them from unauthorized exposure.
Encryption is a vital aspect of obtaining GDPR compliance. Encryption protects your organization so that in the event that data is lost, stolen, or compromised, there is a line of defense. Adding encryption as a layer of protection for your data strengthens your organization’s ability to protect that data in a way that complies with the regulation and provides assurance to your clients. Businesses with EU users and customers need to know what GDPR encryption rules mean for their data security and privacy efforts.
What Does The GDPR Say About Encryption?
The GDPR does not mandate specific technologies or implementations, so no rule says, “you must encrypt personally identifiable data.” However, GDPR Article 32 (1) states that data controllers and processors must implement appropriate technological and organizational measures to secure personal data. Encryption is suggested as a measure that can help businesses to achieve their GDPR compliance objectives.
Encryption is the best way to protect data, provided it’s used as part of a secure system. Encryption is often built into infrastructure hosting platforms, and effective encryption technology is available to all businesses at a minimal cost.
1. Assess Which Data Falls Under the GDPR
The first step is to discover which personal data your business stores, processes, or transmits. That includes knowing which data is in scope for the GDPR, where it’s stored, and the privacy and security measures the business uses to protect it. Ignorance isn’t a defense; businesses often breach the GDPR by failing to protect information they don’t realize contains personal data.
A Data Protection Impact Assessment (DPIA) can help businesses discover whether encryption is appropriate. A DPIA assesses data processed by an organization to determine whether it poses a risk under the GDPR. It considers the data’s nature, the level of risk, and the measures that could be taken to mitigate risk, including encryption. GDPR provides a template that can guide your organization through this process.
2. Develop GDPR Encryption Policies
Encryption policies should clearly describe how and when data processed by your organization is to be encrypted. Encryption policies help avoid mistakes caused by ad-hoc and inconsistent implementation.
Encryption policies supported by the organization’s leadership have two main benefits:
- They provide a foundation on which specific procedures can be based, allowing the organization to develop consistent GDPR encryption practices to achieve compliance objectives while meeting the varied needs of different systems and data types.
- They can mandate training requirements for relevant staff to ensure they know encryption policies, procedures, and responsibilities. Many data breaches occur because employees fail to follow encryption best practices by, for example, downloading personal data to an unencrypted portable drive or uploading it to an improperly configured cloud storage service.
3. Encryption, GDPR, and Data in Transit
Data is said to be in transit when it is moved between systems or components of a system. For example, data in transit might be information submitted by a customer in a web browser or data delivered to a third-party processor by a business. Data in transit is at particular risk as it travels over open networks outside the influence of the data controller or processor. Standard encryption measures to protect data in transit include virtual private networks (VPNs) or HTTPS encryption using TLS certificates.
4. Encryption, GDPR, and Data At Rest
Data at rest is often considered a lower risk than data in transit because security measures should prevent an attacker from accessing internal storage devices. However, software vulnerabilities, insider threats, and phishing attacks may allow attackers to circumvent network border protections and steal unencrypted data. If data is encrypted at rest using securely managed keys, the attacker gets nothing of value. Encryption at rest is part of a layered approach to data protection and GDPR compliance.
5. Understand GDPR Encryption Requirements
There are many ways to encrypt data, but some are more effective than others. As computing power increases and cryptography advances, older standards and algorithms become easier to crack. To comply with the GDPR, use up-to-date, well-tested cryptographic tools that conform to reputable standards. While the GDPR doesn’t specify tools and standards, businesses typically rely on cryptographic security standards such as FIPS 140-2 and FIPS 197 in concert with broader information security standards such as ISO 27001 Annex A.10.1.
GDPR Compliance with KirkpatrickPrice
KirkpatrickPrice provides a range of services that can help your business comply with the GDPR and other information security regulations, including ISO 127001 audits, SOC 2 audits, and compliance audits for other regulations and standards. Businesses seeking to improve GDPR compliance also benefit from security awareness training, penetration testing, and remote access security testing.