GDPR and encryption of data transmissions
On May 25, 2018 the long-awaited General Data Protection Regulation (GDPR) in the European Union went live. From this date personal data on European individuals, subjects, are protected by the GDPR and by the heavy fines that sanctions breaches of the regulation. Obviously fines of €20 Million or 4 % of the annual revenue (whichever is greater) is a risk any general management and board must take seriously.
The main principles in the GDPR focuses on the individual whose data is registered. The GDPR does not prohibit handling of personal data but it lays down the rules for how it should be done.
A central part of the GDPR is that legal persons, that registers personal data need to do their homework to be sure to stay GDPR compliant. Central for the regulation is that registered personal data must always be protected regardless of where the data is located, whether it is stored or in motion.
Ask the question – where is the key?
It is the legal person on whose behalf the data processing is done that has to adhere to the GDPR regulations. That goes even if the specific data processing is done by a third party. The fist step towards GDPR compliancy is to develop security procedures for data management that covers all stages of the data processing, i.e. data at rest, data in motion and lastly data in transit to/from company locations
Companies must question all aspects of their data protection as they cannot delegate this responsibility to third parties. Internally it is advisable that responsibility for GDPR compliance is appointed to specific functions/managers that can act as data owners. The GDPR mentions encryption of data in article 32 as an example of a technical data protection measure.
Data encryption can act as the last line of defense in the case of data breach, that is if the encryption keys are kept secure. Encryption is only a strong security measure if keys are protected and if key accessibility is under control.
It is advisable that data in all stages are protected by encryption and that data owners ensure secure key management and accessibility. Data owners have to be able to answer questions like “Who has access to the keys? Or “Where are the keys stored?” if they are to document GDPR compliance. If data management has been delegated to a third party, then the data owner needs to establish that the third party does not compromise security.
Companies with connected locations must address data protection not only on premises within their building perimeters but also when the data travels between locations. The data owner cannot simply rely on their chosen data carrier to protect data in motion unless they have a specific agreement that states that the data connections are encrypted. Even if such an agreement of encryption has been made with the carrier, the next question will concern the key management issue.
One way to make sure data in transit is secure, is for the data owner to retain the control by implementing hardware security units that encrypts data transmission and protect encryption keys.