GDPR countdown: Encrypt now to get ready

Organizations have exactly one year to prepare for the new EU data protection regulation called the GDPR. To discuss what to expect from the coming regulation, we have talked to other privacy-first, end-to-end encrypted services CryptTalk, Lavabit, ProtonMail, Tutanota, Threema, and Wire. We all believe that GDPR creates a real opportunity for businesses to better protect employee and customer data. End-to-end encryption will play a crucial role in this process. 

Businesses have one year to prepare for the GDPR: the new data protection regulation comes into force on May 25, 2018. With the aim of unifying data protection legislation across the European Union, the new regulation sets strict requirements for managing personal data for every business and organization who have EU-based employees and customers.

GDPR compliance: an opportunity for companies to protect data

“The GDPR is the first step in creating the privacy regulation that works on a large scale, and end-to-end encryption will play a key role in that. We’re proud to partner with other end-to-end encryption providers, that share the same commitment to providing the highest level of security and privacy. Together we can help legislators and businesses understand the advantage of end-to-end based solutions in securing consumer and business data with tools that are easy to use and integrate within existing business processes”, says Alan Duric, CEO and co-founder of Swiss-based encrypted team messenger Wire.

“Reaching GDPR compliance is not merely a compliance process, but a real opportunity for all organizations to enhance the trust of consumers in digital services, and take significant steps towards better protecting staff, customer, and business data”, our co-founder and CEO Istvan Lam says. “Encryption is a tool which helps to secure personal data, but does not solve all GDPR requirements alone. There are challenges out of the scope of encryption, which need to be addressed. However, encryption helps businesses worry less about managing data in the cloud and focus on other matters”, he adds.

“We see GDPR as a chance for businesses to join the privacy movement”, says Matthias Pfau, co-founder of encrypted email service Tutanota. “We as well as other privacy-focused services see by the influx of new users that the privacy movement is growing fast. More and more people want their data to be handled and stored securely. This comes as no surprise as the scandals about data breaches constantly grow in numbers and dimensions. Soon companies who do business in Europe will be obliged to secure their customers’ and employees’ data. At first sight, this might seem like a big hassle to most companies while in fact it is a huge opportunity: By protecting their customers’ data, companies will gain a competitive edge because more and more people realize that their data is valuable and that it must be protected.”

Strong data protection hopefully echoed by policy change in the US

“Organizations must make sure their communication tools are both secure and privacy-compliant. The EU taking action to protect user data is certainly a step in the right direction”, says Roman Flepp, press officer at Threema, the end-to-end encrypted messenger from Switzerland.

“In the past decade, the way business handle sensitive data has been completely revolutionized”, says Dr. Andy Yen, Founder/CEO of Swiss encrypted email company ProtonMail, “and GDPR provides a long overdue update to the regulatory framework surrounding data protection.”

“The GDPR is a critical step in protecting user privacy and ultimately digital freedom. The use of end-to-end encryption is moving into the mainstream and starting to be measured in not only lives protected but in dollars saved as businesses look to protect their customers most valuable assets – their data.  We anticipate the unifying regulation in the EU will be echoed around the world and hopefully drive encrypted policy measures within the US in the near future”, adds Ladar Levison, Founder of encrypted email service Lavabit.

“To achieve GDPR compliance, organisations will have to secure all communication channels with customers. Emailing, file sharing, messaging and voice calls should be protected by the same high standards. GDPR will require all-around data security from organisations”, adds Szabolcs Kun, co-founder and CEO of CryptTalk, the secure mobile calling service developed by Arenim Technologies AB that protects calls against interception and eavesdropping. 



With GDPR, encryption becomes the standard data protection technology

The GDPR highlights encryption as an appropriate technical measure to safeguard data, therefore making it a key technology measure to demonstrate GDPR compliance. The new legislation states that encryption makes data unintelligible to any person who accesses that in the case of a data breach. This way, companies using encryption can avoid breach notification and its costs, as personal data is not endangered.

Not all encryption is created equal though: encryption keys should be stored separately and data should be encrypted on the client side before being uploaded to the cloud. Unlike in-transit and at-rest encryption, end-to-end encrypted services store encryption keys at the client side. This guarantees that the encrypted data is never readable for the service provider. In case of a data breach, only encrypted data leaks, and re-identification of personal data is infeasible.