February 17, 2021
Regulatory Compliance

What You Need to Know About the GDPR Encryption Requirements

Although the European Union (EU) General Data Protection Regulation (GDPR) has been enforced since May 2018, many organizations still struggle to meet compliance requirements. Between January 1, 2020, and August 30th, 2020, supervisory authorities levied over $4 billion in GDPR fines. In July 2020 alone, supervisory authorities imposed 45 penalties for a total of nearly $4 million, reaching an all-time monthly high. As organizations continue to address privacy concerns related to remote workforces and accelerated digital transformation, organizations can leverage the GDPR encryption requirements to secure data more effectively and maintain regulatory compliance. 

What are the GDPR encryption requirements?

For companies, a major implication of the GDPR is the associated risk and responsibility that comes along with the possession or processing of personal data. While some companies might view this information as their greatest asset, the protection and security around it is also an enormous liability. Even worse, the threat of increasingly sophisticated cyber attacks makes the task of protecting personal data even greater. To mitigate the effects of a breach, encryption of personal data is recognized as a meaningful measure of protection and is an important component of the GDPR. While encryption is not explicitly deemed to be a mandatory requirement, Article 32 provides some guidance and recommends encryption as an appropriate security standard.  

Article 32, “Security of processing,” section 1(a) states:

  1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
    1. the pseudonymisation and encryption of personal data;

Article 32(1)(a) of the GDPR suggests a level of flexibility in determining whether to use encryption as a risk mitigation strategy to protect personal data at-rest and in-transit. The phrasing of Article 1 indicates that while encryption is not a required control, it is considered a best practice similar to how the HIPAA names encryption as an Addressable Control

This minimizes the risk of an incident during data processing, as encrypted contents are basically unreadable for third parties who do not have the correct key. Encryption is the best way to protect data during transfer and one way to secure stored personal data. It also reduces the risk of abuse within a company, as access is limited only to authorized individuals with the right key.

Is psuedonomysation the same as encryption?

The GDPR defines psuedonomysation as:

the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

In non-legalese, psuedonomysation is a reversible process that unlinks data points from individual data subjects.The “pseudonyms” unlink the personal data from the data subject. However, the individual who has access to the specific identifier information can re-link the two. 

Encryption, however, provides a broader level of data privacy and security. Encryption conceals data, turning readable text into a series of seemingly random characters so that only the person with the right key can unlock it. Although data encryption is far more complex, the fundamental principle remains the same. If cybercriminals steal encrypted data without the appropriate key, the data has no meaning because it remains hidden. 

How encryption enhances security and GDPR compliance

Pseudonymisation masks data while encryption makes exfiltrated data unreadable in its entirety. If cybercriminals steal pseudonymized data, they may still for example have the email addresses, even if they can’t link them to a specific person. For this example, cyber criminals can use those email addresses in password spray attacks in which they take the most common passwords and attempt to use them to gain access to accounts. This is often the case as cybercriminals have developed increasingly sophisticated brute force attacks.

Encryption, on the other hand, makes the data entirely unusable by cyber criminals even if they manage to exfiltrate it.  Not only does encryption effectively protect the data from being exposed, it greatly reduces the impact of a data breach by shielding the organization from liability as described in Article 34(3)(a) of the GDPR.  “Communication of a personal data breach to the data subject,” states:

The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met:

    1. the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption;

In summary, if encrypted data is leaked or exfiltrated, the organization is not required to notify the data subject of the data breach because the information is rendered unintelligible. While pseudonymization is considered an adequate control for unlinking data, it does not remove the GDPR breach notification requirements.  

What data should be encrypted?

Not all data needs to be encrypted. However, the GDPR defines personal information broadly, which often makes separating protected from nonprotected information challenging. The GDPR defines personal data as any information that directly or indirectly identifies a data subject, including:

  • name
  • identification number
  • location data
  • online identifier (such as IP address)
  • physical, physiological, genetic, mental, economic, cultural, or social identity

The GDPR has greatly expanded beyond traditionally protected information. For example, human resources or medical records have long been considered sensitive data because they often incorporate name, birthdate, and/or social security number. 

However, in March 2019 , King’s College London sent an email to the local police identifying thirteen students by name and listing their membership in student societies. Since the local authority had not sent a formal information request, the review determined that linking the names and social identities constituted a GDPR violation. While encryption would not have changed the outcome of this particular case, it highlights how the GDPR expands the term personal data beyond traditional usage. 

In a GDPR regulated world, organizations need to consider the full breadth of their data collection, processing, and storage while continuously protecting personal data from theft and inappropriate access. From this viewpoint, it is clear to see why strong encryption is an essential component of any compliance strategy.  

Atakama: Easy end-to-end encryption to enable GDPR compliance 

Atakama not only enables GDPR compliance, but its one-touch solution increases end-user adoption that matures an organization’s security and privacy programs. 

Traditionally, encryption solutions have proven cumbersome and difficult for end-users. For example, password protecting sensitive documents can interfere with day to day processes and hinders scalability. Requiring employees to proactively determine which data necessitates encryption also places the onus of responsibility directly onto the individual and can result in a lack of compliance. Another example of the encryption challenge revolves around the storage of encrypted data and the burden placed on IT administrators to maintain accessibility for internal stakeholders.

Atakama’s decentralized architecture makes encryption and compliance simple. Atakama enables the encryption of files at a granular level without reliance on usernames and passwords. Even if data is exfiltrated from your network, unless the necessary pieces of the key have been correctly rebuilt before decrypting and opening the files, the files are rendered useless to the hacker. And you’ll be able to show industry regulators how your data is protected and encrypted at rest. 

For more information about how Atakama can address your organization’s GDPR compliance needs, contact us for a demo today. 

background cta