Businesses now have less than a year to achieve compliance with the General Data Protection Regulation (GDPR). As part of their efforts, organizations must look to Article 32 of the Regulation. This section affirms the data controller's and processor's responsibility to leverage "the pseudonymisation and encryption of personal data" to protect against digital risk. Encryption is one of those "appropriate technical and organizational protection measures" that "render the data unintelligible to any person who is not authorized to access it…." Organizations subject to the GDPR can, therefore, use encryption to remain on "the Good" side of the law. Should a breach occur, those that implemented encryption won't need to endure the customer notification process and its costs because the incident wouldn't have exposed personal data. However, the GDPR's standardization of encryption potentially affects businesses beyond their breach detection and response strategies. Matthias Pfau, co-founder of encrypted email service Tutanota, believes encryption can help align businesses with users who are increasingly conscientious about their security and privacy:
"We see GDPR as a chance for businesses to join the privacy movement. We as well as other privacy-focused services see by the influx of new users that the privacy movement is growing fast. More and more people want their data to be handled and stored securely. This comes as no surprise as the scandals about data breaches constantly grow in numbers and dimensions. Soon companies who do business in Europe will be obliged to secure their customers' and employees' data. At first sight, this might seem like a big hassle to most companies while in fact it is a huge opportunity: By protecting their customers’ data, companies will gain a competitive edge because more and more people realize that their data is valuable and that it must be protected."
Of course, companies will need to take the correct approach to encryption if they are to leverage it to their advantage. For instance, they should consider embracing end-to-end encryption by storing encryption keys separately and encrypting data on the client side before uploading it to their cloud service provider. Doing so will help ensure that encrypted data is never readable for the service provider, which protects personal data in the event someone breaches that third-party. But if enough companies adopt end-to-end encryption, the GDPR could effectively have far-reaching consequences for users everywhere. Ladar Levison, Founder of encrypted email service Lavabit, expands on this hope:
"The GDPR is a critical step in protecting user privacy and ultimately digital freedom. The use of end-to-end encryption is moving into the mainstream and starting to be measured in not only lives protected but in dollars saved as businesses look to protect their customers most valuable assets – their data. We anticipate the unifying regulation in the EU will be echoed around the world and hopefully drive encrypted policy measures within the US in the near future."
To learn more about the GDPR, including how you can use Tripwire's solutions to achieve compliance with its encryption requirements and other security standards, please click here.
