Does GDPR Require Encryption?

20 Nov 2019 | Michael Waksman
Does GDPR require encryption? Is it really necessary to encrypt your data? Isn't it enough to make sure only authorized people can see it?
GDPR meaning with words

Many businesses go without encryption because they think it's too hard. Yet encryption isn't really as difficult as its reputation. Like any tech, it takes a bit of learning at first, but doesn't have to be a huge burden on employees – not if it's done right. For the most part, they shouldn't even notice it's there.

Safeguarding data is important if you want to avoid a serious risk of liability. European citizens are protected by the General Data Protection Regulation (GDPR). There are common misconceptions about GDPR, such as the notion that only European businesses have to worry about it. If you deal with personal information on Europeans, wherever you're based, you need to pay attention to its requirements. They're straightforward and not that hard to implement.

GDPR doesn't specifically demand encryption, but encrypting stored data is the best way to demonstrate compliance and keep information safe. Let's take a closer look at what it calls for.

What does GDPR require about encryption?
 

  • Article 32, "Security of Processing," cites encryption as an example of "appropriate technical and organizational  measures to ensure a level of security appropriate to the risk."
  • Recital 83, with the same title, mentions encryption as a means of mitigating risk.
  • Article 6, "Lawfulness of Processing," calls for ascertaining "the existence of appropriate safeguards, which may include encryption or pseudonymization."

The only method of protection which is mentioned besides encryption is pseudonymization, and it has its own issues. With pseudonymization, personal identifiers are replaced with internal IDs. Instead of seeing a name or government ID, data thieves will see only that the record belongs to customer 49524601. Any personally identifying information, like addresses and phone numbers, needs to get similar treatment. Doing it right is tricky, because it's often possible to narrow the remaining data down to a unique person. Encryption is a far more reliable form of protection.

If you don't use encryption, you must be ready to explain why not and what protections you are using instead. Similar to the HIPAA security rule in the U.S., GDPR doesn't require encryption as such, but you’d better have a good reason for not using it.

The EU national supervisory authorities are the judges of compliance with GDPR, and encryption is an obvious reliable way to convince them that you are compliant. The Article 29 Data Protection Working Party, representing the national supervisory authorities, issued a statement asserting that "the availability of robust and trusted encryption is a necessity." In a similar vein, the UK's ICO has published a guide to encryption stating that "you should have an encryption policy in place."

Encryption is the key to compliance. The Ponemon Institute has found that extensive encryption reduces the cost of a data breach by about $125 per record. It's the sensible way to go.

How to use encryption

To benefit from encryption, you have to approach it intelligently. Just saying "We're going to encrypt" isn't a magical solution to all security problems. Your encryption strategy should start with two questions:

  •  What do I need to encrypt?
  •  Where is my data stored?

The second question requires a bit of explanation. You need to make sure you don't overlook any vulnerable data. If multiple copies of sensitive data exist, make sure you don't leave any unprotected. Portable devices are especially at risk.

The focus of GDPR is the personal data of EU citizens. That means anything which identifies individuals or contains personally identifiable sensitive information. This includes:

  •  Name
  •  Address
  •  Localization
  •  Online identifier
  •  Health records
  •  Income
  •  Cultural profile

Data needs to be protected only if it can be traced back to an individual. Truly anonymized information can be freely disclosed or left with minimal protection. But be careful; even anonymous data can be combined to reconstruct individual identities. It's been shown that 87% of Americans can be uniquely identified given their ZIP code, birth date, and gender. When in doubt, encrypt.

Categories of encryption

When we talk about encryption, we're talking about two kinds of issues. There's encryption ‘at rest’, when data is stored in files and databases. In addition, protection is necessary ‘in transit’, when data travels from one place to another. Think of it as safeguarding your possessions when you're at home or in the office, but also when you're in the car or bus. Different kinds of risks are involved, and you have to cover both.

Encryption at rest

The broadest form of encryption at rest is whole-disk or whole-drive encryption. It's essential for any device or removable storage that might travel outside a secure area. If a laptop or phone is stolen and isn't encrypted, the thief can get everything that's on it. If the device includes information on a lot of people, that means big trouble. Whole-disk encryption makes this information unreadable.

However, a logged-in user has access to everything just as if it weren't encrypted. If the thief can keep the device in a logged-in state or figure out the password, the encryption is no protection at all.

Protection of selected files isn't as broad, but it covers cases where whole-disk encryption doesn't help. The user needs to provide a key or take other actions to get at those files. They're safe even if a thief has the account password, provided logging in doesn't give automatic access to the files.

Finally, there's encryption of individual items. Databases need to do this with the most sensitive items, such as credit card numbers and government ID numbers. Encrypting selected data ensures that accessing the database isn't enough to grab that information for identity theft.

Encryption in transit

When you send information over the Internet, you don't know what route it's going to take. Data could pass through compromised servers that probe for anything worth copying. To keep sensitive data safe, you need to encrypt it whenever it goes online. VPNs provide this kind of encryption. So do many messaging apps. Email typically doesn't, so it isn't a safe way to send information unless you add end-to-end encryption.

The most widely used form of in-transit encryption is Transport Layer Security (TLS), known previously as SSL. Whenever you use a browser link beginning with ‘https:’, you're using TLS encryption. It's also used for many behind-the-scenes connections, including APIs connecting servers. A majority of today's Web traffic goes over SSL. It not only protects data submitted in forms from interception, but also protects against ‘man in the middle’ alteration of data.

Summing up

Does GDPR require encryption? In brief, encryption is the best and most trusted way to protect user data and comply with GDPR requirements. When you set up an encryption plan, you need to start by assessing what data to encrypt and which tools to use. Strong encryption, though, will protect data reliably while keeping costs down. Encryption solutions are affordable and easy to implement, provided you know what data you have and where it's stored.

Specific actions to protect data include these:

  • Use whole-disk encryption, especially with any devices or storage media that aren't always in a safe place.
  • Use file encryption to avoid troubles in case a thief gets to your device in a logged-in state or figures out the  password.
  • For messaging, use applications that encrypt end-to-end. Typical email and basic text messaging aren't safe for anything confidential.
  • Trust websites only if they use TLS, as indicated by an address starting with ‘https://’. Use TLS to secure your own site's traffic!


Central management makes encryption easier

You may still think, after reading all this, that encryption is complicated and intimidating. But it doesn't have to be. A central management system makes encryption much easier, sparing users the technical details. As the Admin, you have control of everything from one place. Regular users don't have to do anything difficult; all that's required is entering a password when they open their devices.

Jetico's central management system gives administrators full control. Users don't have to spend hours training to be sure their data is protected. The central console lets the administrator…

  •  Automatically deploy whole-disk and file encryption on all computers.
  •  Store all passwords securely in the central management database.
  •  Recover encrypted data in case of emergency. Even if users forget their passwords, the data isn't lost.


Do you want to know more about GDPR Encryption & Data Erasure? Contact a Data Protection Specialist now.

Michael Waksman Jetico CEO bio image
Michael Waksman

Michael Waksman has been serving as CEO of Jetico since 2011, more than doubling the size of the company during his tenure. He brings more than 20 years of communications, technology and leadership experience.

At Jetico, Waksman has lead creation of the corporate identity, raising global brand awareness, building a more commercially-driven team and initiating enterprise customer relations. Jetico has maintained a wide user base throughout the U.S. Defense community, in the global compliance market and for personal privacy.

Waksman served as vice-chairman of the Cyber Group for the Association of Finnish Defense and Aerospace Industries. Recognized as a security and privacy advocate, he is a frequent speaker at international events, occasionally on behalf of the Finnish cyber security industry. In 2012, Waksman was honored with The Security Network's Chairman's Award for fostering collaboration between the United States and Finland. As dual citizen, he is a native New Yorker and has been living in the Helsinki region for over 15 years.

View all blog posts

Thank you for contacting Jetico!
We will respond to you as soon as possible.

Send us a message - we'll reply within 24 business hours.

Need help now? Call
US: 202 742 2901 EU: +358 9 2517 3030