As outlined earlier, the GDPR requires organisations to notify consumers in the event of a breach
with penalties of up to 4% of their global revenue in the event of proven non-compliance.
The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures should render the data unintelligible to any person who is not authorised to access it. [page 61]
So, GDPR provides exceptions if appropriate security controls are deployed. A breached organisation who renders data unintelligible through encryption to any person who is not authorised to access it, is not mandated to declare a breach & notify affected record owners.
This is as if data is encrypted and keys protected, an attacker is unable to decrypt the data and access the actual information.
Encryption therefore plays a vital role, offering the possibility of obviating the need for breach notification
Encryption and key management represents a strong mechanism for addressing the GDPR’s requirements for the consumer’s right to be forgotten.
By deleting a key associated with a consumer’s records, a business could ensure that encrypted data will never be accessed in future.
With key management, by deleting a key associated with a consumer’s records, a business could ensure that encrypted data will never be accessed in the clear. Any data if accessed by third parties will be rendered useless event in the event of a serious data breach.
As introduced in the GDPR, this is the separation of data from direct identifiers so linkage to an identity is not possible without additional information held separately.
In other words, by encrypting data and managing keys, you ensure that personal details are not extractable.
By encrypting data, even if another government issues a subpoena to be sent that data or is secretly accessing a private repository, data controllers can retain full control over who can ultimately decrypt the data and who can access it in cleartext, and provide necessary audit and documentation thereof.
To address the GDPR compliance requirements, organisations may need to employ one or more different encryption methods within both their on-premises and cloud infrastructure environments, including the following:
Strong key management is also needed to protect the encrypted data, ensure the deletion of files and comply with users' right to be forgotten.
The cryptographic keys generated by encryption processes represent a vital asset, so strong key management capabilities are a critical requirement of any encryption implementation. Quite simply, if keys are vulnerable to loss or exposure, the security benefits of encryption can be negated, and even leave the business exposed to the loss of sensitive and valuable data.
Cryptographic processing and acceleration
Key storage and lifecycle management
Cryptographic resources management
Scalability to meet long term business requirements
Supports Key Management Interoperability Protocol
Key Management Interoperablity Protocol (KMIP) enables you to use one platform to manage keys from different encryption tools and multiple vendors.
Bytes, in partnership with data encryption global leaders Gemalto, has already started working with organisations on encryption solutions to aid in compliance with the new Regulation. We can help you to employ one or many different encryption, key management and authentication solutions.
Gemalto encryption and cryptographic key management products enable organizations to secure sensitive data in databases, applications, storage systems, virtualized platforms, and cloud environments with all four encryption methods, offering encryption solutions from file to network level.
Gemalto encryption solutions also include comprehensive key management functionality covering all of the above and with full support for KMIP.
Want to know more about Encryption: A Cornerstone of GDPR Compliance? Call us on 0845 075 0560 or email us at email@example.com