It is the legal person on whose behalf the data processing is done that has to adhere to the GDPR regulations. That goes even if the specific data processing is done by a third party. The fist step towards GDPR compliancy is to develop security procedures for data management that covers all stages of the data processing, i.e. data at rest, data in motion and lastly data in transit to/from company locations
Companies must question all aspects of their data protection as they cannot delegate this responsibility to third parties. Internally it is advisable that responsibility for GDPR compliance is appointed to specific functions/managers that can act as data owners. The GDPR mentions encryption of data in article 32 as an example of a technical data protection measure.
Data encryption can act as the last line of defense in the case of data breach, that is if the encryption keys are kept secure. Encryption is only a strong security measure if keys are protected and if key accessibility is under control.
It is advisable that data in all stages are protected by encryption and that data owners ensure secure key management and accessibility. Data owners have to be able to answer questions like “Who has access to the keys? Or “Where are the keys stored?” if they are to document GDPR compliance. If data management has been delegated to a third party, then the data owner needs to establish that the third party does not compromise security.
Companies with connected locations must address data protection not only on premises within their building perimeters but also when the data travels between locations. The data owner cannot simply rely on their chosen data carrier to protect data in motion unless they have a specific agreement that states that the data connections are encrypted. Even if such an agreement of encryption has been made with the carrier, the next question will concern the key management issue.
One way to make sure data in transit is secure, is for the data owner to retain the control by implementing hardware security units that encrypts data transmission and protect encryption keys.