What you need to know about encryption and GDPR
There’s a lot of mythology about encryption: that it’s highly complex to manage, that it will slow down dramatically application or network performance, that it’s ruinously expensive, and so on. Another myth is that the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018, made encryption mandatory: it hasn’t, and in fact encryption is hardly mentioned by authors of the rules. But deploying encryption to protect sensitive data makes lot of sense as a significant aspect of your broader compliance strategy.
GDPR has attracted a lot of attention and it’s not just media or industry hype. This is the biggest change to data protection legislation for decades because there is a significant tightening of rules along with considerable penalties for non-compliance. GDPR has already changed attitudes to the retention and management of personally identifiable information and, as cases are prosecuted, there will be many more defensive actions taken.
The GDPR rules are double-edged in that they impact internally, on employees, and externally, on data stored or transferred relating to customers and partners. Essentially, GDPR sets out to be far more prescriptive about what information organisations can hold and what they can use it for. Losing sensitive data could lead to some serious conversations with Data Protection Authorities (DPAs), the independent public bodies that act as GDPR supervisors.
This is where encryption comes in. Data can leak out on purpose, for example, through criminals and disgruntled staff keen to access valuable information or embarrass companies. Or it can be lost accidentally (for example, through the carelessness or ignorance of employees forwarding on customer details).
The latter is more controllable, through training and more secure workflows. But when data leaves the workplace
on its way to the internet or a cloud service provider it’s hard to ensure that it can’t be snooped on. That’s in part because the internet and cloud computing is based on open protocols and shared infrastructure. When data leaves the building it’s difficult to guarantee it’s flowing in a safe way because the public internet shares ducts, cabinets, fibre and other common elements.
Encryption is no universal panacea but, used properly, it definitely makes data safer. Think of it as another layer to buttress security in the event of malicious or accidental leakage – in both cases, scrambling data through encryption reduces the risk of it being misused.
Don’t take my word for it, the authors of GDPR explicitly refer to “measures to mitigate those risks, such as encryption”, “appropriate safeguards, which may include encryption”, “the pseudonomisation and encryption of personal data” and tools to make data “unintelligible to any person who is not authorised to access it, such as encryption”.
Known and unknown factors
There are still some unknowns and grey areas when it comes to GDPR, however. We don’t know precisely how individual DPAs will interpret the rules, for instance, and there is no official guidance on how strong encryption should be, nor reference to whether encrypted data is being referred to in the context of being at rest (stored) or in transit (where data is being transferred).
But some DPAs, such as the UK’s Information Commissioner’s Office (ICO) have gone into a fair amount of detail in discussing the positive impacts of using encryption, including providing March 2016 guidance on encryption. In a blog at the time it stated its position clearly:
“The ICO takes the view that regulatory action may follow in cases where a lack of encryption has led to a loss of data. A significant number of the monetary penalties we have issued since 2010 relate to the failure to use encryption correctly as a technical security measure. Where data is not appropriately secured, loss, theft or inappropriate access is much more likely to occur.”
What’s clear is that encrypting data (and taking sufficient care with encryption keys of course) is ultimately a sensible precaution – if data is lost it is still relatively safe as that data will be scrambled and, therefore, useless. That should at the very least persuade DPAs to be more lenient in the event of a wider data compromise.
That said, encryption is no ‘get out of jail free’ card for GDPR and we’re seeing more companies looking at other tactics such as using more private Ethernet or optical connections and equipment. It will certainly also be sensible to conduct more training and education with staff and partners and it might be that managed services become more popular as a way of winning access to expertise and best practices. What is clear that the buck stops with the organisation. In light of this, encryption should be considered in the round as a component, but not the defining feature of, good data governance today, and for tomorrow.
This blog originates from GDPR:Report, if you’d like to view the original article, please click here