As outlined earlier, the GDPR requires organisations to notify consumers in the event of a breach with penalties of up to 4% of their global revenue in the event of non-compliance.
The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures should render the data unintelligible to any person who is not authorised to access it. [page 61]
So, GDPR provides exceptions if appropriate security controls are deployed. A breached organisation who renders data unintelligible through encryption to any person who is not authorised to access it, is not mandated to declare a breach & notify affected record owners.
Encryption therefore plays a vital role, offering the possibility of obviating the need for breach notification
By deleting keys associated with a consumer’s records, a business could ensure that encrypted data will never be accessed in future.
With key management businesses ensure encrypted data is never accessed in the clear. Data is useless in the event of a breach.
Separating data from direct identifiers means linking data to an identity is not possible. By encrypting data & managing keys, you ensure PII is not extractable.
With encryption, even if public bodies issue a subpoena to be sent data or secretly access that data, controllers retain full control over who can see it in cleartext
Gemalto encryption and cryptographic key management products enable organisations to secure sensitive data in databases, applications, storage systems, virtualised platforms, and cloud environments with all four encryption methods, offering encryption solutions from file to network level.
Gemalto solutions also include comprehensive key management functionality including KMIP.
To address the GDPR compliance requirements, organisations may need to employ one or more different encryption methods within both their on-premises and cloud infrastructure environments, including the following:
Strong key management is also needed to protect the encrypted data, ensure the deletion of files and comply with users' right to be forgotten.
The cryptographic keys generated by encryption processes represent a vital asset, so strong key management capabilities are a critical requirement of any encryption implementation. Quite simply, if keys are vulnerable to loss or exposure, the security benefits of encryption can be negated, and even leave the business exposed to the loss of sensitive and valuable data.
Cryptographic processing and acceleration
Key storage and lifecycle management
Cryptographic resources management
Scalability to meet long term business requirements
Supports Key Management Interoperability Protocol
Key Management Interoperablity Protocol (KMIP) enables you to use one platform to manage keys from different encryption tools and multiple vendors.
Want to know more about Encryption: A Cornerstone of GDPR Compliance? Call us on 0845 075 0560 or email us at firstname.lastname@example.org