Encryption Under GDPR

The General Data Protection Regulation (GDPR), a law passed by the European Union, aims to protect the rights and freedom of people in the EU. It requires organizations to follow specific standards while processing personal data of people. With this, the GDPR aims to safeguard the data and hence the privacy of people. The terrestrial scope of the Regulation is broad. You could be operating from anywhere in the world yet accountable to comply with the GDPR if you collect and process the data of EU residents.

Read more about GDPR here.

Protecting the personal data of people is the responsibility of an organization, and there are many ways to ensure security to data. Encryption is one way to achieve this. GDPR believes so too. Article 32 of the GDPR lays out requirements for the secure processing of personal data. Pseudonymization and encryption are two of the “technical and organizational” measures it lists for the security of processing. This blog post discusses encryption and what the GDPR says about it.

Encryption is a mathematical technique to convert personal data into codes that only authorized users can access. It protects the data from unauthorized or unlawful processing. Not all data require encryption. However, it depends on if the processing activity poses a threat to the rights and freedom of the users. It is an effective method to protect data during storage or transfer. 

Pseudo-random keys, generated by algorithms, are used to encrypt or decrypt data. You can access the data using this key. Therefore, you must make sure to handle it safely.

There are two types of encryption:

Symmetric – where the same key is used for both encryption and decryption. 

Asymmetric – where different keys are used for encryption and decryption.

Unprotected data may be subject to damage or loss. You can avoid data loss or destruction and the threat to people’s privacy because of a breach if you use techniques like encryption at the right time. GDPR fines for unlawful handling of data is massive – 20 million euros or 4% of your annual global turnover, whichever is higher. 

The GDPR document does not discuss specific requirements. However, ICO lays down the following crucial points to consider while carrying out the technique, which you could apply to protect the data:

• Choose the right algorithm, key size, and encryption software required for encryption depending on the severity of your processing activity. 
• Always store the keys safely.
• Regularly review and ensure that the key size is appropriate and large enough to protect against any loss or damage to data.
• Ensure you have processes in place to generate new keys if necessary.
• Make sure the software meets FIPS 140-2 and FIPS 197 standards.
• Periodically asses your methods for any vulnerability.

Furthermore, here is a checklist provided by the ICO:

Data protection before processing them is crucial since it is closely associated with the GDPR compliance. Consequences of failing to protect the personal data will not only result in strict fines or penalties, but you could lose the trust users have in you. Make use of tools like encryption to make sure that does not happen.