Is encryption the best way to implement GDPR?
The new EU data protection framework, also referred to as the General Data Protection Regulation (GDPR) will go into effect as of May 25th 2018. It came with potentially heavy fines and applies to every company doing business in Europe.
Encryption is mentioned as the only technology recommended to achieve compliance. Are you ready?
Are you using encryption technology to implement GDPR?
And if so, are you doing it right? What are the best practices? Why use HSMs?
The key questions that companies need to ask themselves are:
- Does the GDPR apply to my organization? Even if my organization is based outside of the EU? Even if I am not storing or processing data in the EU – either in the cloud or on-premises?
- What security strategy should businesses employ to ensure the proper protection of personal data and thereby avoid fines?
- Are we using suitable technology to protect the personal data in question?
What is GDPR trying to achieve?
The new EU GDPR, which comes into effect on May 25th 2018, defines the minimum standards for handling, securing and sharing personal data. The overall target of the GDPR directive is NOT to prevent the movement of data throughout or beyond the EU. On the contrary: the main target is to facilitate the movement of personal data, in a similar way to how the EU aims to facilitate the free movement of goods and persons. The GDPR also recommends the creation of standards, so that the exchange of data becomes easier. At the same time, however, it aims to protect an individual person’s right to own their personal data, to have it edited, removed and protected from abuse.
According to the GDPR “Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.” (Article 4)
Encryption – the silver bullet to become GDPR compliant?
GDPR require you to take a number of measures, ranging from defining a Data Protection Officer to using “state of the art” technology to protect personal data.
The main mechanism the GDPR recommends to employ is that of pseudonymization, i.e. to ensure that the personal data in question cannot be abused, because it cannot be attributed to the person it belongs to thanks to the use of encryption. So even if the data is stolen, it is unintelligible and thus cannot be abused.
Utimaco: GDPR – why encryption is so important to avoid fines
Interested in learning more?