All companies face the risk of cyber-attacks. Encryption is one of the measures that a company can implement to limit the probability and impact of a data breach. Since the GDPR (General Data Protection Regulation) came into effect in May 2018, many people in the data governance and information security domain have been consumed with the impact that it will have on encryption.
Although the term “encryption” is only mentioned four times in the GDPR, the regulation is bound to have a significant impact on how companies manage personal data. As businesses continue to adjust to life under GDPR, one question still lingers; should we consider encrypted data personal data?
What is Encryption?
Encryption entails turning data into an unintelligible and encoded version using encryption keys and algorithms. When data is encrypted, it won’t be of much use to hackers if they don’t have a decryption key or code. Even after hacking your system, they won’t be able to use the data. Data encryption has become the go-to data protection method for many organizations. Although the GDPR doesn’t directly mention encryption as a pre-requisite data protection measure for organizations, the regulation has a significant impact on how cases involving data breaches and non-compliance will be interpreted in the future.
Encryption in the Eyes of the GDPR
Generally, the GDPR has a binary approach towards data. The regulation considers data to be either personal or not. If your organization’s data is personal, the full weight of the regulation applies to you. Therefore, you need to do everything possible to secure the data, including encrypting it. The categorization of data as personal or not, depends on whether it can be used to identify an individual directly or indirectly.
As per GDPR standards, all organizations should take appropriate organizational and technical measures to protect any personal data in their possession. Even so, the GDPR doesn’t explicitly state how an organization should use encryption to protect its data. Rather, it only recommends encryption as one of the security measures that can be taken.
GDPR’s Global Impact
Although the GDPR aims at protecting the privacy of EU nationals, its scope and impacts extend far and wide. Companies from different parts of the world interact with EU countries and their citizens in one way or another. Therefore, it’s best to ensure that your company complies with the regulation as well. The GDPR recognizes the significance of data encryption. According to Article 32 of the regulation, some of the appropriate organizational and technological measures that can be taken to secure personal data include:
- The encryption and pseudonymization of personal data
- Ability to restore access to personal data, and its timely availability in case of a technical or physical incident
- Ability to guarantee the ongoing integrity, availability, resilience, and confidentiality of data processing systems and services
- Implementing a process for regularly accessing, evaluating, and testing the efficiency of organizational and technical measures that ensure the security of data processing
An organization that fails to implement these security measures, among others, is at the risk of massive data loss if a breach occurs. Ignoring these recommendations means that your organization is non-compliant with the GDPR. Therefore, you stand to be heavily penalized if a breach occurs. Such penalties won’t apply to organizations that have implemented all the security measures recommended by the GDPR.
The Consequences of Failing to Encrypt Your Data
Under the GDPR, there are no specific penalties and fines associated with the failure to implement encryption. Since encryption is merely a data security measure recommended by the GDPR, it’s up to you to decide whether you want to implement it or not. However, it’s best to keep in mind that you can avoid the fines and penalties associated with data breaches if you’ve properly implemented encryption.
Even in cases where your organization has a solid argument for not encrypting its data, it can still be fined for not doing so if a breach occurs. For instance, British Airways was fined a whopping $230 million for having a poor cybersecurity posture that led to a breach. The company had failed to implement proper encryption measures to secure its customer’s data. An investigation into the company’s data practices revealed that its data got compromised as a result of poor security measures.
The Future of the GDPR
It’s slightly over two years since the GDPR came into effect. Therefore, it’s a relatively new regulation. Even so, your organization should be at the forefront in implementing the regulation’s recommendations, lest it plays catch-up in the future. To ensure compliance with the GDPR, it’s best to implement data encryption best practices. Encryption should be the foundation of your organization’s data security since it seals loopholes that hackers can leverage to compromise your data. In this regard, all sensitive data should be encrypted, and the encryption key kept secure. It’s also advisable to encrypt both data at rest and in transit.
Jordan MacAvoy is the Vice President of Marketing at Reciprocity Labs and manages the company’s go-to-market strategy and execution. Prior to joining Reciprocity, Mr. MacAvoy served in executive roles at Fundbox, a Forbes Next Billion Dollar Company, and Intuit, via their acquisition of the SaaS marketing and communications solution, Demandforce.
Kenneth joined ISACA in 2013 and presently serves as the GWDC Communications Director. He holds the CISM, CISA, PMP, CIPP/G, and AWS CCP.