Is Encryption Mandatory for GDPR Compliance?

Most people in the Information Security/Data Governance world at the moment are consumed with thenew General Data ProtectionRegulations (GDPR) which come into force on May 25th, 2018. The changes it brings are significant and will have an impact on every UK citizen.

This article is not going to explain the multitude of changes or cringe at the hefty fines you will be subject to, if you fail to comply. The purpose of this post is to alert you to the hoards of ‘solution providers’ selling products and services that will ‘ensure’ compliance to the new standard.

Read the Regulations

The new regulations are, without doubt, an improvement. And at only 260 pages, it’s actually a decent read. If your suppliers are on the war-path to sell you services that will help you be better prepared for the Regulations, then the least you can do is read the Regulations and make the effort to understand them, before you open your wallet. You really don’t need to be a data protection lawyer to grasp what the regulations mean. You might need to seek clarification on how to interpret some of the clauses to address a specific operational issue, but you shouldn’t have too much of a problem understanding key aspects of the regulations.

There are no Silver Bullets

We’ve seen several vendor presentations stating that by deploying encryption, you will ensure that you are compliant with GDPR. We’ve even heard of people quoting percentages like “by encrypting your data, you will be 70% compliant.” Fortunately, in most cases, said vendor has the perfect solution to deliver the magic percentage.

The Encryption Myth

To clarify; of the 260 pages of GDPR, the word ‘Encryption’ appears on only 4 occasions;

  • “…implement measures to mitigate those risks, such as encryption.” (P51. (83))
  • “…appropriate safeguards, which may include encryption” (P121 (4.e))
  • “…including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data.” (P160 (1a))
  • “…unintelligible to any person who is not authorised to access it, such as encryption” (P163 (3a))

Do the terms ‘may’, ‘such as’ and ‘as appropriate’ indicate that Encryption is mandated by GDPR? We don’t believe so. Conversely, do these terms suggest that Encryption is a potential option and a good idea? Indeed, it does.

Some are hanging on to the idea that if the data is Encrypted, then reporting a Data Breach to the data subjects is not necessary (as per Article 34). But hold on. If there is a breach, and the data is Encrypted then there may not be a regulatory requirement to inform the Data Subject. However, what if news gets out that you had a breach? What will be the impact on your reputation? Do you have a moral obligation regardless of regulatory requirement?

Encryption

It’s arguable that encryption the most technical word in the regulation, but it gives no real context e.g. Encryption at rest? Encryption in transit? At what point is it Encrypted? What level of Encryption? Is Triple-DES ok? Do I need AES?)

The point is simply that the GDPR is far reaching but complying with it is not just a technical feat. It needs to be addressed as a business challenge. It has the best interests of the Data Subject at its core and trying to reduce it to a few ‘sound bites’ and technical tools is not the answer. It deserves more consideration than that and so do the Data Subjects it’s there to protect.