The General Data Protection Regulation (GDPR) imposes security and privacy regulations that apply to businesses that store or process European Union residents’ personal data. It enacts a broad range of measures to give data subjects control over their data and protect them from unauthorized exposure.

 Encryption is a vital aspect of obtaining GDPR compliance. Encryption protects your organization so that in the event that data is lost, stolen, or compromised, there is a line of defense.  Adding encryption as a layer of protection for your data strengthens your organization’s ability to protect that data in a way that complies with the regulation and provides assurance to your clients. Businesses with EU users and customers need to know what GDPR encryption rules mean for their data security and privacy efforts.

What Does The GDPR Say About Encryption?

The GDPR does not mandate specific technologies or implementations, so no rule says, “you must encrypt personally identifiable data.”  However, GDPR Article 32 (1) states that data controllers and processors must implement appropriate technological and organizational measures to secure personal data. Encryption is suggested as a measure that can help businesses to achieve their GDPR compliance objectives.

Encryption is the best way to protect data, provided it’s used as part of a secure system. Encryption is often built into infrastructure hosting platforms, and effective encryption technology is available to all businesses at a minimal cost. 

Privacy audits can feel overwhelming.

Privacy laws and regulations are constantly changing, and the process feels overwhelming. This guide will help you feel more confident as you prepare for your next privacy audit.

Get the Guide

1. Assess Which Data Falls Under the GDPR

The first step is to discover which personal data your business stores, processes, or transmits. That includes knowing which data is in scope for the GDPR, where it’s stored, and the privacy and security measures the business uses to protect it. Ignorance isn’t a defense; businesses often breach the GDPR by failing to protect information they don’t realize contains personal data.

A Data Protection Impact Assessment (DPIA) can help businesses discover whether encryption is appropriate. A DPIA assesses data processed by an organization to determine whether it poses a risk under the GDPR. It considers the data’s nature, the level of risk, and the measures that could be taken to mitigate risk, including encryption.  GDPR provides a template that can guide your organization through this process.  

2. Develop GDPR Encryption Policies

Encryption policies should clearly describe how and when data processed by your organization is to be encrypted. Encryption policies help avoid mistakes caused by ad-hoc and inconsistent implementation. 

Encryption policies supported by the organization’s leadership have two main benefits: 

  • They provide a foundation on which specific procedures can be based, allowing the organization to develop consistent GDPR encryption practices to achieve compliance objectives while meeting the varied needs of different systems and data types.
  • They can mandate training requirements for relevant staff to ensure they know encryption policies, procedures, and responsibilities. Many data breaches occur because employees fail to follow encryption best practices by, for example, downloading personal data to an unencrypted portable drive or uploading it to an improperly configured cloud storage service

3. Encryption, GDPR, and Data in Transit

Data is said to be in transit when it is moved between systems or components of a system. For example, data in transit might be information submitted by a customer in a web browser or data delivered to a third-party processor by a business.  Data in transit is at particular risk as it travels over open networks outside the influence of the data controller or processor. Standard encryption measures to protect data in transit include virtual private networks (VPNs) or HTTPS encryption using TLS certificates. 

4. Encryption, GDPR, and Data At Rest

Data at rest is often considered a lower risk than data in transit because security measures should prevent an attacker from accessing internal storage devices. However, software vulnerabilities, insider threats, and phishing attacks may allow attackers to circumvent network border protections and steal unencrypted data. If data is encrypted at rest using securely managed keys, the attacker gets nothing of value. Encryption at rest is part of a layered approach to data protection and GDPR compliance. 

5. Understand GDPR Encryption Requirements

There are many ways to encrypt data, but some are more effective than others. As computing power increases and cryptography advances, older standards and algorithms become easier to crack. To comply with the GDPR,  use up-to-date, well-tested cryptographic tools that conform to reputable standards. While the GDPR doesn’t specify tools and standards, businesses typically rely on cryptographic security standards such as FIPS 140-2 and FIPS 197 in concert with broader information security standards such as ISO 27001 Annex A.10.1.

GDPR Compliance with KirkpatrickPrice

KirkpatrickPrice provides a range of services that can help your business comply with the GDPR and other information security regulations, including ISO 127001 audits, SOC 2 audits, and compliance audits for other regulations and standards. Businesses seeking to improve GDPR compliance also benefit from security awareness training, penetration testing, and remote access security testing.

Updating Your Privacy Policy for GPDR Compliance

Privacy policies are critical to GDPR compliance efforts, as this statement or notice explains how an organization handles personal data. We know that in order to comply with GDPR, a privacy policy should be concise and written in clear, plain language. However, in the weeks since GDPR became enforceable, many privacy policies are not meeting these requirements. This may be due to organizations rushing to create what they believe to be GDPR-compliant privacy policies but has resulted in quite the opposite. We’re seeing privacy policies that have a higher reading level, longer word count, and longer reading time, making them much more difficult to understand than before GDPR when into effect. So, what specific elements should a GDPR-compliant privacy policy include to avoid these pitfalls?

What Should GDPR-Compliant Privacy Policy Include?

According to Article 13 under Section 2 of GDPR, “Information and Access to Personal Data,” states the required information that should be provided when personal data is collected from a data subject. Following Article 13’s guidance and others, we’ve compiled a checklist that will give your organization over 20 items to consider when creating or updating your privacy policy in order to help guide you toward a GDPR-compliant privacy policy.

To ensure fair and transparent processing, the law states that privacy policies must demonstrate the following:

  • Identify the data controller
  • Identify the data protection officer
  • Define the purposes of processing
  • Define the legal basis for processing
  • When “legitimate interests” are your legal basis for processing, describe the legitimate interests for processing
  • Describe the recipients or categories of recipients of personal data
  • If applicable, identify any intent of international transfers of personal data
  • If applicable, identify safeguards for international transfers of personal data
  • Define the data retention period
  • Describe data subjects’ right of access to personal data

The EU’s General Data Protection Regulation (GDPR) is a top regulatory focus, and for good reason. Organizations across the globe are mapping their data, updating their privacy policies, updating contracts, reviewing their data collection processes, and trying to figure out whether they are data controller or processor – all to avoid the severe consequences of GDPR non-compliance. Not only are the requirements and scope for this data protection law extremely broad, but the fines and penalties that organizations could face for GDPR non-compliance are unlike any fines and penalties imposed by a regulatory body before.

GDPR Fines and Penalties

Organizations that have grown used to being slapped with minor fines for data breaches or misusing consumers’ data will no longer be able to put the security and privacy of their consumers’ data on the back burner. To gain GDPR compliance, organizations who market, collect, use, or store consumers’ personal data must make the security and privacy of consumers’ data a top priority, or be faced with the severe consequences of GDPR non-compliance. GDPR is equivalent to a US Federal Law, and GDPR non-compliance can lead to fines of up to €20 million or 4% of annual global turnover – whichever is greater.

Fines and Penalties

  • €20 million or 4% of annual global turnover – whichever is greater.

For example, Hilton – one of the largest hotel and resort chains in the world – was fined a mere $700,000 for a data breach that caused the information of 350,000 cardholders to be exposed. That’s a fine of just $2 per person affected by the breach. Considering that Hilton’s annual global turnover for the previous year was $10.5 billion, the company could have been fined a maximum of $420 million for the breach under the GPDR’s harshest fine. That’s a fine of $1,200 per person affected. For data controllers like Hilton, as well as data processors, understanding the consequences of GDPR non-compliance is crucial. A $700,000 fine for Hilton presumably didn’t impact the organization much, but a $420 million fine would have had much more severe implications.

Want to learn what fines and penalties will be enforced for GDPR non-compliance? Need to know what to do if your organization violates multiple GDPR provisions? Ready to learn what your organization can do to reduce the maximum fines?

The most common questions we receive regarding GDPR compliance are all related to terms and definitions. Controllers, processors, processing, sub-processor, joint controller, controller-processor – there’s so many complicated, similar GDPR terms. If you’ve been confused by what terms mean and which definitions are vital to the compliance process, you are not alone. What’s your organization’s role? Who enforces GDPR? What kind of data is covered under the law? What kind of person is covered under the law? Understanding key GDPR terms will help you be able to answer these important questions and help you begin your GDPR compliance journey.

Key GDPR Terms Defined

Data Subject: Some may assume that “data subjects” means EU citizens, but the explicit language of the law applies to processing the personal data of “data subjects in the Union” which could cover tourists, non-citizen residents, international students, and much more. Because GDPR uses informal descriptions for the term “data subject,” the public has been left with varying interpretations and significant challenges. We generally see five definitions proposed for data subjects:

  1. A person located in the EU,
  2. A resident of the EU,
  3. A citizen of the EU,
  4. An EU resident/citizen physically located anywhere in the world, or
  5. A person whose personal data is processed within the EU, regardless of that person’s location.

Organizations should closely monitor regulatory and legal developments related to the definition of “data subject.”

Personal Data: Per Article 4(1), personal data is any identifiable information related to a data subject. For example: name, geographic location data, email address, IP address, photographs, video or voice recordings, biometric data, or an online identifier of the specific physical, physiological, genetic, mental, economic, cultural, or social identify of a data subject.

Controller: The natural or legal entity that regulates the purpose and means of processing personal data. The greater the decision-making authority an organization has regarding what personal data to obtain from data subjects and how to use that personal data, the more likely it is that an organization takes on the responsibilities of a data controller.

Processing: Processing is any action that impacts or uses personal data, including accessing, collecting, storing, archiving, reviewing, or destroying.5. Processor The natural or legal entity that processes personal data in support of a controller. Processors cannot process data without the authority of the data controller, therefore, processors must provide controllers with sufficient GDPR compliance guarantees, notification of data breaches, and adding/changing of sub-processors.

Processor: The natural or legal entity that processes personal data in support of a controller. Processors cannot process data without the authority of the data controller, therefore, processors must provide controllers with sufficient GDPR compliance guarantees, notification of data breaches, and adding/changing of sub-processors.

Data Protection Officer (DPO): An individual that has expert knowledge of data protection laws, coordinates with data subjects and supervisory authorities, participates in data protection impact assessments, and monitors GDPR compliance.

Supervisory Authority: Independent, public authorities for each EU member state that are responsible for monitoring the application of GDPR and addressing non-compliance. For example:

• National Commission of Computing and Freedoms in France

• The Federal Commissioner for Data Protection and Freedom of Information in Germany

• Agency of Protection of Data in Spain

• The Information Commissioner’s Office in the United Kingdom

Joint Controller: When two or more controllers jointly have authority over and determine the purposes and means for processing personal data.

Controller-Processor: An organization or person identified as both a controller and a processor.

Sub-processor: An organization that processes personal data on behalf of a processor. Sub-processors must comply with the same contractual and compliance requirements as a processor.

For more information about how KirkpatrickPrice can assist you in meeting your compliance objectives, contact us today.

GDPR Requirements for Data Controllers and Processors

The first step towards GDPR compliance is determining your organization’s data role – are you a data controller or a data processor? Determining your role under GDPR can be challenging because of textual and practical ambiguity, but identifying your role is the starting point for determining which GDPR requirements your organization must follow.

What are the responsibilities of data controllers? A data controller determines the purpose and means for processing personal data. How much authority and decision-making over personal data does your organization have? The greater the authority, the more likely it is that an organization takes on the responsibilities of a data controller.

The Information Commissioner’s Office (ICO) guidance related to determining purposes of processing personal data says that if you are the decision-maker on any of the following items, then you are subject to the responsibilities of data controllers:

  • Who decides to collect the personal data in the first place and the legal basis for doing so?
  • Who decides which items of personal data to collect?
  • Who decides what methods to use to collect personal data?
  • Who decides the purpose(s) that the data are to be used for?
  • Who decides which individuals to collect data about?
  • Who decides whether to disclose the data, and if so, who to?
  • Who decides whether subject access and other individuals’ rights apply (i.e. the application of exemptions)?
  • Who decides how long to retain the data or whether to make non-routine amendments to the data?

According to the guidance on principles regarding the means of processing personal data, data controllers may determine:

  • What IT systems or other methods to use to collect personal data
  • How to store personal data
  • The detail of security surrounding the personal data
  • The means used to transfer personal data from one organization to another
  • The means used to retrieve personal data about certain individuals
  • The method for ensuring a retention schedule is adhered to
  • The means used to delete or dispose of personal data

What are the responsibilities of data processors? The law defines a data processor as the natural or legal person that processes personal data on behalf of a data controller. Processing is essentially anything done to personal data, including storing, archiving, or reviewing. Data processors cannot process data without the authority of the data controller and must provide sufficient compliance guarantees to data controllers.

Once you understand what your organization’s role is under GDPR, the next step is understanding which GDPR requirements apply to you. GDPR requirements depend on roles; requirements are different for controllers versus processors versus a controller-processor. In this white paper, you’ll learn which requirements apply to data controllers, which apply to data processors, and which apply to both. Let’s find out which GDPR requirements apply to your organization.