European Parliament flags in front of the EP building in Strasbourg. (Genevieve Engel/EU photo)

PERSPECTIVE: How Encryption Can Help Comply with GDPR

Over the last few weeks, I suspect you, like I, have received a flurry of emails regarding the General Data Protection Regulation (GDPR), the new series of European Union regulations on privacy and data protection. While most of these emails focused on either privacy settings or the method by which a provider was going to safeguard my data, the GDPR encompasses more than these two areas. GDPR has significant impacts for all organizations holding data on persons within the EU jurisdiction. GDPR’s goal is to provide an enforceable framework for the safeguarding of personal data and to standardize the regulatory environment for international business by providing a standard platform for data policies within the European Union.

If properly implemented at the enterprise level, encryption can help ensure that GDPR fulfills its data protection mandate. Encryption is the process of enciphering a message such that only authorized recipients can recover the original plain text. Used to protect data so that only authorized parties can access the information, encryption provides confidentiality and, when used correctly, information integrity and authenticity guarantees as well.

Organizations and individuals need to ensure data’s confidentiality, integrity and authenticity over its entire life cycle. Attackers are aware of the latest technologies and routinely seek to thwart conventional security techniques. As I’ve noted elsewhere, enterprise encryption is a form of what I called “Industrialized Remediation”: “(A) process becomes industrialized when it transitions from being the province of a craftsman to a repeatable manufacturing process.” (Sienkiewicz, 2017) Enterprise encryption needs to become an industrialized process.

Enterprise encryption is an essential component of the design, implementation and use of information management systems, and should be integrated from the requirements phase. Enterprise encryption solutions provide a straightforward path to the broad application and implementation of encryption across the organization. This preventive cybersecurity paradigm, using enterprise encryption technologies, is a best practice for all organizations and individuals at every level.

Encryption:  Key to GDPR Compliance

Encryption can help organizations successfully comply with GDPR in a number of ways.

First, encryption gives organizations and individuals complete control of their data through the implementation of confidentiality, integrity and authenticity guarantees. Encryption supports compliance as it enables individuals and organizations to store and transmit data without interference or access by unauthorized personnel. The owner of the information can manage its distribution, sharing it only with the people they want. The encryption process ensures that only authorized people can gain access to the information, and that they can trust the information they access.

Second, encryption ensures the security of data backups, whether in the cloud or on-premises. Taking into account that sensitive information is stored by most firms and often individuals, the security of data in storage is crucial for business or personal interests.

Third, the encryption process enables increased data trustworthiness. An enhanced enterprise data management process supports the Data Loss Protection (DLP) and Data Rights Management (DRM) programs by incorporating encryption and provides notifications as to the number of copies made, where the data is shared, and with whom (Thompson, 2016). Such notification processes increase data accountability, potentially preventing the unauthorized, possibly illegal, sharing of regulated, private information.

Fourth, an enhanced enterprise encryption process can reduce automated profiling; automated profiling is a breach of the new regulations. Automated profiling is a technique of processing personal data to analyze or predict matters related to an individual, such as their financial status, health, or interests. The data owner now must give consent before analysis is conducted on the data. Such consent would be indicated by sharing cryptographic keys. This positive access control reduces the likelihood of inadvertent privacy violations.

Fifth, media encryption has proven useful when portable storage devices are lost or stolen. This is important as third-party malfeasance can lead to fines and other sanctions. Encrypted information is not readable to malicious actors in the absence of the decryption key. (Bennett, 2018)

Sixth, the risk of eavesdropping is also mitigated. During data transmission, unauthorized interceptions occur routinely. However, when data is encrypted, an interception is irrelevant; this is because the information is not meaningful to the eavesdropper in the absence of the cryptographic keys.

Finally, it appears that encryption might provide a “Safe Harbor” with respect to breach notification. When using encryption, data breach notification requirements may not come into effect as the information has not been successfully retrieved by an attacker who does not have access to the cryptographic keys (Bieker et al., 2016). This “Safe Harbor” saves the organization from harm resulting from a data breach. Correctly implemented, encryption reduces chances of sanctions and high fines.

Conclusion

Enhanced enterprise encryption supports GDPR compliance. As discussed, its advantages include, but are not limited to: protection of data in transit and at rest, mitigation of data breach risk, and giving positive control over distribution, analysis, and profiling. In short, it is clear that the enhanced enterprise encryption helps organizations comply with GDPR compliance.

REFERENCES

Bennett, S. (2018). GDPR: Change to European privacy laws and its impact on Australian businesses. Governance Directions, 70(2), 85.
Bieker, F., Friedewald, M., Hansen, M., Obersteller, H., & Rost, M. (2016, September). A process for data protection impact assessment under the European general data protection regulation. In Annual Privacy Forum (pp. 21-37). Springer, Cham
Goddard, M. (2017). The EU General Data Protection Regulation (GDPR): European regulation that has a global impact. International Journal of Market Research, 59(6), 703-705.
Sienkiewicz, Henry J. (2017), The Art of Cyber Conflict, Indianapolis, IN: DogEar Publishing
Thompson, B. (2016). Analysis: Research and the general data protection regulation. Technical report, July.

Henry J. Sienkiewicz is Chief Innovation and Revenue Officer for Secure Channels, an Orange Country, California based encryption company, and an adjutant professor at Georgetown University. A best-selling author, Henry is the former Chief Information Officer for the Defense Information Systems Agency (DISA).

Leave a Reply