Encryption: A Cornerstone of GDPR Compliance


Encryption represents both an essential way to establish data confidentiality and integrity and a strong capability in easing and proving compliance with the new European General Data Protection Regulation.


As outlined earlier, the GDPR requires organisations to notify consumers in the event of a breach with penalties of up to 4% of their global revenue in the event of non-compliance.

However, this requirement also features the following important exclusion:


The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures should render the data unintelligible to any person who is not authorised to access it. [page 61]
  Bytes Webinar - 'Encryption: GDPR's Get out of Jail Free Card?'

The Right Not to Report?

So, GDPR provides exceptions if appropriate security controls are deployed. A breached organisation who renders data unintelligible through encryption to any person who is not authorised to access it, is not mandated to declare a breach & notify affected record owners.

Encryption therefore plays a vital role, offering the possibility of obviating the need for breach notification

Other Ways Encryption Aids in GDPR Compliance

Right to be Forgotten

By deleting keys associated with a consumer’s records, a business could ensure that encrypted data will never be accessed in future.

Privacy By Design

With key management businesses ensure encrypted data is never accessed in the clear. Data is useless in the event of a breach.

Pseudonymisation


Separating data from direct identifiers means linking data to an identity is not possible. By encrypting data & managing keys, you ensure PII is not extractable.

Central Access Control


With encryption, even if public bodies issue a subpoena to be sent data or secretly access that data, controllers retain full control over who can see it in cleartext

GDPR_data_encryption.jpg

Bytes partner with data encryption global leader Gemalto to provide organisations with encryption solutions to meet the new Regulation

Gemalto encryption and cryptographic key management products enable organisations to secure sensitive data in databases, applications, storage systems, virtualised platforms, and cloud environments with all four encryption methods, offering encryption solutions from file to network level.

Gemalto solutions also include comprehensive key management functionality including KMIP.

Encryption Methods

On Premise and in the Cloud

To address the GDPR compliance requirements, organisations may need to employ one or more different encryption methods within both their on-premises and cloud infrastructure environments, including the following:

  1. Servers, including via file, application, database, and full disk virtual machine encryption.
  2. Storage, including through network-attached storage and storage area network encryption.
  3. Media, through disk encryption.
  4. Networks, for example through high-speed network encryption.

Strong key management is also needed to protect the encrypted data, ensure the deletion of files and comply with users' right to be forgotten.

Key Management

The Critical Tool in the Encryption Arsenal

The cryptographic keys generated by encryption processes represent a vital asset, so strong key management capabilities are a critical requirement of any encryption implementation. Quite simply, if keys are vulnerable to loss or exposure, the security benefits of encryption can be negated, and even leave the business exposed to the loss of sensitive and valuable data.

To manage keys securely and effectively, organisations need comprehensive capabilities, including:

Cryptographic processing and acceleration

Key storage and lifecycle management

Cryptographic resources management

Scalability to meet long term business requirements

Supports Key Management Interoperability Protocol


Key Management Interoperablity Protocol (KMIP) enables you to use one platform to manage keys from different encryption tools and multiple vendors.

Use the form or contact us details below to send us an enquiry and arrange to discuss your GDPR & Encryption needs.

Want to know more about Encryption: A Cornerstone of GDPR Compliance? Call us on 0845 075 0560 or email us at securitysales@bytes.co.uk

Get a quote...

Email instead Call us