By continuing to browse our site, you are consenting to the use of cookies. Please view our cookie policy to learn more about the cookies we use.

GDPR: To Encrypt or Not to Encrypt?

This article discusses the importance of data encryption in a business’ GDPR roadmap. Explaining what encryption means and how it can make life easier for businesses in the long-term.

 

 

Encryption and Pseudonymisation

GDPR requires organisations to implement controls to protect the personal data of EU residents and allow these data subjects to exercise their fundamental rights over their own personal data.  What form these controls take is remarkably undefined, there are only two technology “solutions” currently referred to in the regulations.  These are encryption and pseudonymisation.

The optimum GDPR solution contains elements of both encryption and pseudonymisation.  Pseudonymisation requires extensive thought and effort, whereas encryption is easier to achieve in the short term.  However, it is important to point out that although encryption is referred to several times within GDPR, it is by no means mandatory.

Encryption is a mature mainstream technology that should be the foundation stone of any solution landscape. 

 

 

 

 

The Importance of Encryption

Encryption itself is quite a broad area but in simple terms would typically cover “data at rest” (volume and database) and “data in transit” (network and application).  Encrypting your database is the very first thing you should consider doing.  Why?

Let’s take the hypothetical scenario that your database has been compromised:

  • What is one of the first questions your Senior Management Team will ask in the event of a breach?
  • What is one of the first questions your customers will ask in the event of a breach?
  • What is one of the first questions the press will ask in the event of a breach?
  • What is one of the first questions a regulator (such as the ICO) will ask in the event of a breach?

The word “secure” or encrypted” would or should feature in each of these questions.

 

 

Defining Your GDPR Roadmap

One of the most important elements, if not the very first element you should think about, when defining your own GDPR roadmap is what you can do after a breach to prevent any impact on your data subjects (your “post breach control”).  The best thing you can possibly do is to ensure that any data that has been misappropriated is unusable.  This is where encryption really is the obvious answer (although pseudonymisation will also help to a degree).

 

 

 

 

Another important element when defining your GDPR roadmap is how to limit and if possible, avoid any fines levied by the appropriate regulators in the event of a breach.  Being able to provide evidence that your data is encrypted will place you in a much stronger position than an organisation that does not encrypt its data.  At the very least, you should be able to demonstrate that encryption was very seriously considered, even if it has been discounted for practical or cost reasons. 

Then there is the press and your competitors.  The loss of encrypted data that is unusable is a bit of a non-story.

 

 

Risky Business

The very least I would demand of anyone I choose to share my personal data with is that they would look after it carefully and do their best to ensure that it was safe and secure. In fact, I would expect it be encrypted.  What do you stipulate from anyone you choose to share your data with?  What should your customers expect from you?

I hope that after reading this that your answer would be the same. Don’t take any chances.  The financial and reputational costs of not encrypting your data are too great to ignore.

 

 

Written by Simon Dunleavy, Director of Cloud Services.

To discover how to maintain your business reputation, confidentiality and customers trust, download our report on GDPR & Maginus OMS Enterprise DB.