GDPR encryption requirements
(Last updated on September 26, 2019)
The integrity and protection of personal data is an essential part of the EU General Data Protection Regulation (GDPR). According to the regulation, a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed” (Article 4, definition 12). To reduce the probability of a personal data breach, organizations are encouraged to employ a combination of security measures.
Encryption is the process of changing information to make it unreadable by anyone except those possessing special knowledge (commonly referred to as a secret key) that allows them to change the information back to its original form. By converting information into an unreadable format, encryption technology protects data from unauthorized access. Organizations that want to comply with GDPR can use encryption as one of many security measures to protect data.
The GDPR document mentions encryption on a few occasions, for example:
- Recital 83: “…implement measures to mitigate those risks, such as encryption.”
- Article 6 Lawfulness of processing: 4e) “…appropriate safeguards, which may include encryption or pseudonymization.”
- Article 32 Security of processing: 1) “…including inter alia as appropriate: a) the pseudonymization and encryption of personal data.”
- Article 34 Communication of a personal data breach to the data subject: 3a) “…unintelligible to any person who is not authorized to access it, such as encryption”
In its four appearances, encryption precedes the following language “may include”, “as appropriate”, and “such as.” Additionally, there’s very little context around encryption – what level and standard of encryption, where to use encryption, and which types of data (data at rest, data in transit, etc.). From the above, we can deduce that there are no explicit encryption requirements.
On the other hand, the GDPR document consistently calls for appropriate technical and organizational measures. This language appears in Article 32 where the protection and security of personal data is concerned. Encryption is also suggested in the Article 32, followed by: 2) “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”
Essentially the document says that your security controls, in this case encryption, should be considered alongside the risk of a personal data breach. For example, are your corporate devices (mobiles, laptops, etc.) susceptible to accidental, unlawful, or unauthorized disclosure of personal data? If users are working remotely, or you’re not locking up your server room, the answer is likely Yes. Most companies will want to protect data at rest, especially on devices that are susceptible to theft. This will ensure that the data is inaccessible even if the hard drive is removed and replaced in another machine.
Encrypting data at rest is only a small part of a complete security plan. It provides little protection against data in transit – moving from one component, location, or program, to another. To protect data across endpoints, you will need to use encryption alongside robust network security controls. Use encrypted connections (HTTPS, SSL, TLS, FTPS, etc.) to protect the content of data in transit.
Encryption is not a cure-all, but when applied comprehensively across the technology stack, it makes data less susceptible to exposure. Additionally, when encryption is in place, there is no regulatory obligation to inform the Data Subject following a security incident (Article 34). In other words, while encryption is not required by GDPR, it can be a highly effective technique for compliance.
As a final word of advice, don’t let encryption and compliance give you a false sense of security. Compromised credentials are the easiest way to breach an organization so use multi-factor authentication to secure critical use cases where an attacker could gain access such as password reset and encryption key recovery. Specops Key Recovery is a self-service solution for unlocking computers encrypted or managed by Symantec Endpoint Encryption. A user who is locked out at the pre-boot authentication screen can use Specops Key Recovery to unlock their computer, without calling the helpdesk. For added security, users are verified with multi-factor authentication before receiving a recovery key.