Encryption has been a hot topic of discussion during the implementation phase of most data privacy laws. In the age where organizations are dealing with large volumes of data each day, the protection of this sensitive data is critical. The data, which is seen as a business-critical asset for organizations, should be protected against malicious hackers looking for opportunities to steal the data. For these reasons, most data privacy regulations call for organizations to encrypt their data to help to prevent against cyber-attacks.
Today’s article is about one such data privacy law that repeatedly mentions the adoption of encryption. GDPR is a data privacy law in the EU that mentions the use of encryption. Although not mandatory, it is yet seen as a best practice for protecting personal data. So, let us first understand what data encryption is and then understand the role of encryption in GDPR compliance.
What Is Data Encryption?
Data encryption is a process or technique of translating data from text to hashed code that can only be decrypted with a special key. This is one of the most effective processes that organizations can incorporate to enhance their data security measures.
The purpose of encrypting data is to maintain the confidentiality of sensitive data. Oftentimes, unencrypted data, which is stored in computers, on servers or transmitted using insecure internet or insecure computer networks, can result in data breaches. Having stored or transmitted unencrypted data can jeopardize the confidentiality of the data and lead to data sprawl and hacking.
Benefits of Data Security Encryption
Encryption plays a crucial role in the security of data. Encryption algorithms ensure the confidentiality, privacy and integrity of the data. It also ensures authentication, access controls and non-repudiation of sending data. There are more benefits to incorporating the technique of data encryption. Provided below are some reasons why data should be encrypted.
- Data Protection – Data encryption ensures complete protection of data against any kind of hack or threat. The sensitive data cannot be accessed by unauthorized personnel, nor can it be stolen in any way.
- Secure Data Transmission – Encryption of data also ensures secure storage and transmission of data. So, even if the data is being transmitted through an unsecured network, you can still be rest assured of it remaining confidential. Files that are shared or uploaded to cloud systems will remain safe throughout the process of transmission.
- Data Integrity Maintained – The risk of data alteration is often overlooked. However, by encrypting data with a digital signature or a checksum, it will be secured against unauthorized alterations of data; even in the case that an incident happens, it will still be easily detected. In other words, tampering with data can be identified in the event that the data is compromised.
- Ensure Compliance – Compliance is extremely important for businesses, and so they are expected by the law to comply with industry regulations and standards. Encryption is one of the safest techniques that businesses can adopt to securely transmit and store data and thereby comply with the various data privacy and security standards.
So, what does encryption have to do with GDPR? For a better understanding, let us take a closer look at the GDPR and its requirements.
What Does the Regulation Say About the Encryption Requirement?
The General Data Protection Regulation (GDPR) is a data privacy law that requires organizations to implement measures to protect the privacy, integrity and confidentiality of data. Although the regulation does not mandate or explicitly call for data security encryption, it requires organizations to enforce the best security measures and safeguards. The Regulation recognizes the risk exposure concerning the processing of personal data, and so it places the responsibility on the controller and the processor in Article. 32(1) to implement appropriate technical measures to secure personal data.
While the regulation does not specify technical and organizational measures to be considered, it does emphasize encryption techniques. Despite not being a mandate, the GDPR Regulation repeatedly mentions encryption and pseudonymization as appropriate technical and organizational measures for GDPR data security. The regulation clearly places the responsibility on the controller or processor to decide where encryption should be implemented.
Encryption of personal data in general offers additional benefits for controllers and/or processors. So, in the event that encrypted data is misplaced or there is a loss of a storage medium that holds encrypted personal data, this incident might not be considered to be a data breach in terms of penalties provided the incident is reported to the data protection authorities. Again, if there is an incident, the authorities may take into consideration the use of encryption in their decision on imposing fines as per Article 83(2)(c) of the GDPR.
Encryption can be a highly effective technique for achieving GDPR compliance. Although GDPR encryption requirements are not mandatory, it is yet a powerful technique for data security, as it converts or encodes information into a non-readable format that only an authorized party can access and read. This way, a GDPR data encryption strategy can work out to be beneficial for your organization, especially when it comes to preventing data breaches.
Regardless of whether the GDPR or another regulation applies to your organization, encryption forms an integral part of any organization’s data security strategy. Implementing data encryption will prevent your organization from being vulnerable to a data breach and costly fines, which may be much higher than the cost of implementing encryption.
About the Author: Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the founder and director of VISTA InfoSec, a global information security consulting firm based in the United States, Singapore and India. Mr. Sahoo holds more than 25 years of experience in the IT industry, with expertise in information risk consulting, assessment, and compliance services. VISTA InfoSec specializes in information security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS compliance & audit, PCI PIN, SOC2, PDPA and PDPB, to name a few. The company has for years (since 2004) worked with organizations across the globe to address the regulatory and information security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.