Encryption: A Cornerstone of GDPR Compliance

Encryption represents both an essential way to establish data confidentiality and integrity and a strong capability in easing and proving compliance with the new European General Data Protection Regulation.

As outlined earlier, the GDPR requires organisations to notify consumers in the event of a breach
with penalties of up to 4% of their global revenue in the event of proven non-compliance.

However, this requirement also features the following important exclusion:

The communication of a personal data breach to the data subject shall not be required if the controller demonstrates to the satisfaction of the supervisory authority that it has implemented appropriate technological protection measures, and that those measures were applied to the data concerned by the personal data breach. Such technological protection measures should render the data unintelligible to any person who is not authorised to access it. [page 61]

The Right Not to Report?

So, GDPR provides exceptions if appropriate security controls are deployed. A breached organisation who renders data unintelligible through encryption to any person who is not authorised to access it, is not mandated to declare a breach & notify affected record owners.

This is as if data is encrypted and keys protected, an attacker is unable to decrypt the data and access the actual information.

Encryption therefore plays a vital role, offering the possibility of obviating the need for breach notification

Other Ways Encryption Aids in GDPR Compliance

Right to be Forgotten

Encryption and key management represents a strong mechanism for addressing the GDPR’s requirements for the consumer’s right to be forgotten.
By deleting a key associated with a consumer’s records, a business could ensure that encrypted data will never be accessed in future.

Privacy By Design - Full Data Protection

With key management, by deleting a key associated with a consumer’s records, a business could ensure that encrypted data will never be accessed in the clear. Any data if accessed by third parties will be rendered useless event in the event of a serious data breach.

Pseudonymisation of Data

As introduced in the GDPR, this is the separation of data from direct identifiers so linkage to an identity is not possible without additional information held separately.
In other words, by encrypting data and managing keys, you ensure that personal details are not extractable.

Complete Central Access Control

By encrypting data, even if another government issues a subpoena to be sent that data or is secretly accessing a private repository, data controllers can retain full control over who can ultimately decrypt the data and who can access it in cleartext, and provide necessary audit and documentation thereof.

Encryption Methods

On Premise and in the Cloud

To address the GDPR compliance requirements, organisations may need to employ one or more different encryption methods within both their on-premises and cloud infrastructure environments, including the following:

  1. Servers, including via file, application, database, and full disk virtual machine encryption.
  2. Storage, including through network-attached storage and storage area network encryption.
  3. Media, through disk encryption.
  4. Networks, for example through high-speed network encryption.

Strong key management is also needed to protect the encrypted data, ensure the deletion of files and comply with users' right to be forgotten.

Key Management

The Critical Tool in the Encryption Arsenal

The cryptographic keys generated by encryption processes represent a vital asset, so strong key management capabilities are a critical requirement of any encryption implementation. Quite simply, if keys are vulnerable to loss or exposure, the security benefits of encryption can be negated, and even leave the business exposed to the loss of sensitive and valuable data.

To manage keys securely and effectively, organisations need comprehensive capabilities, including:

Cryptographic processing and acceleration

Key storage and lifecycle management

Cryptographic resources management

Scalability to meet long term business requirements

Supports Key Management Interoperability Protocol

Key Management Interoperablity Protocol (KMIP) enables you to use one platform to manage keys from different encryption tools and multiple vendors.

About Bytes and Gemalto Encryption Solutions

Bytes, in partnership with data encryption global leaders Gemalto, has already started working with organisations on encryption solutions to aid in compliance with the new Regulation. We can help you to employ one or many different encryption, key management and authentication solutions.

Gemalto encryption and cryptographic key management products enable organizations to secure sensitive data in databases, applications, storage systems, virtualized platforms, and cloud environments with all four encryption methods, offering encryption solutions from file to network level.

Gemalto encryption solutions also include comprehensive key management functionality covering all of the above and with full support for KMIP.

Want to know more about Encryption: A Cornerstone of GDPR Compliance? Call us on 0845 075 0560 or email us at securitysales@bytes.co.uk

Get a quote...

Email instead Call us