In just two months’ time, the General Data Protection Regulation (GDPR) comes into full effect, marking the biggest change in data protection legislation in the continent in more than twenty years.
And it’s fair to say that GDPR is a significant step-up from the 1995 EU Data Protection Directive. After all, in the 23 years between the two laws, we’ve seen the arrival of Facebook, Google, Uber, Spotify and others, and completely new ways of working in the so-called ‘Internet Economy’.
Subsequently, GDPR, which has been two years in making, is designed to reflect this new digital era where digital data is growing exponentially.
As a broad overview, GDPR comes with notable new ways of applying data protection across the 28 EU member states.
Designed as one single set of rules across EU, the regulation more specifically defines what constitutes personal data (for example, this could now include an IP address or cookie data), splits data use per ‘data controllers’ and ‘data processors’ and is much more specific around what user content for data processing looks like. Furthermore, under the new regulation, businesses that have been hit by a breach where personal data may have been compromised will be expected to report this to their local data protection authority within a 72-hour window.
This last point is critical, not only because most attacks remain undetected for months at a time, but also because GDPR offers regulators far greater powers in terms of levying fines for a data breach or a failure to comply with the GDPR’s underlying principles. Data breach fines, for examples, could go as high as 4% of global turnover (or €20m, whichever is higher), although it’s expected that very few cases will go this high.
Unsurprisingly then, these changes will have a huge impact on all businesses, small and large, and across all departments too - from IT to marketing, security and sales. Indeed, the recent furor over Facebook’s controversial partnership with Cambridge Analytica would seem to indicate supply chain partnerships will likely also have to be relooked at in order to avoid costly data ‘spills’.
Yet there has been many myths and misconceptions around GDPR, including questions about the extent of encryption technologies that will be required.
What is encryption?
Encryption is loosely defined as the cryptographic process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot.
The UK’s Information Commissioner nicely defines it as “a mathematical function using a secret value — the key — which encodes data so that only users with access to that key can read the information.
“In many cases encryption can provide an appropriate safeguard against the unauthorized or unlawful processing of personal data, especially in cases where it is not possible to implement alternative measures.”
It is omnipresent, from the emails you send and the software you use to the documents you edit and web pages you browse. Through a myriad of protocols like SSL, HTTPS and TLS, it binds everything, including authenticating and protecting websites, safeguarding files, transactions and everyday communications. This ‘safeguarding’ is usually done both ‘at rest’ and ‘in transit’.
Encryption, specifically end-to-end encryption, has been a talking point for some time, largely owing to governmental pressure for ‘backdoors’ to be built into software so that law enforcement agencies can better investigate and disrupt criminals and terrorists.
Perhaps as a byproduct of this—and of course a complex 261-page regulation which can be interpreted differently depending how you look at it—some have assumed that encryption has a big role to play under the forthcoming GDPR.
GDPR and encryption
Though not mandatory, encryption is highly recommended both from a policy, strategy and technology perspective in light of GDPR. Indeed, experts say that the use of encryption will be viewed favorably by regulators, even if a breached company has indeed lost personal data.
This focus comes through clearly in the document itself.
For example, under GDPR principle 7 it says: “Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” Here, it is assumed that encryption and pseudonymization technologies are those ‘appropriate’ measures that organizations should be putting in place.
The regulation also calls out encryption specifically too; “In order to maintain security and to prevent processing in infringement of this regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.”
Elsewhere, it adds that data controllers “shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk”, pointing to the pseudonymization and encryption of personal data.
By this comment, it’s believed that the use of encryption technologies should help with things like ensuring the confidentiality, integrity and availability of data, as well as the ability to access it in a timely fashion. While this is already an issue for many organizations today, it will become more important as subject access requests and Right to Be Forgotten (RTBF) demands become more commonplace.
The upside of implementing encryption technologies in getting ready for GDPR are potentially vast; not only do you significantly reduce the likelihood of information being compromised and shared/sold, but regulators also give you more wiggle room in the event of a security incident.
For example, in the event of a breach where compromised data is encrypted, it’s believed that there will be no regulatory requirement to inform the data subject (though this may be recommended from a PR standpoint). Furthermore, it is also assumed any breach fines will be avoided.
Yet with much still unknown in the run-up to May 25, and with GDPR bringing big changes around the way data is stored and managed (relevant to those in the cloud), encryption will have a big role to play, and will need to be factored into policies going forward. Fair warning: managing higher levels of encryption may be challenging for organizations who are not prepared for a rapid increase resulting from GDPR efforts.