Our latest seminar, held just a month before the GDPR is coming to effect, attracted more participants than ever. This time, we decided to discuss what’s probably the most feared element of the new data protection regulation: handling data breaches. Besides giving some legal background, our aim was to showcase that even what might look like a banal incident could qualify as a data breach and could entail serious consequences.
The Facebook-Cambridge Analytica data scandal, Uber’s data breach, or the Equifax hacking scandal are probably the cases that come to our mind when we think of a data breach. However, not only major incidents that make it to the headlines can constitute a data breach.
It has certainly happened at your company that one of your colleagues sent an email with confidential attachment to the wrong recipient. This can qualify as a data breach, even if only one person is affected. Having a work laptop or iPad stolen, which does not have proper passcode protection, can also lead to a data breach. But data breach can happen in the physical world as well: if you leave confidential documents unattended on your desk, and upon returning to your office, you see some strangers on the corridor, you also may need to act. As a data controller you are required to assess any case where there is a likelihood of a breach.
In a previous blog post, we have already discussed in detail how end-to-end encryption can help mitigate the risk of data breaches and get you ready for the GDPR. This time, we will focus on the most reoccurring questions that came up during our webinar and we’ll try to provide some clarity on them.
Does the GDPR differentiate between different types of encryption technologies?
The GDPR does not, but the Article 29 Working Party, soon to be transformed into the European Data Protection Board, describes end-to-end-encryption as the strongest guarantee of confidentiality.
Am I protected against data breaches if I use secure, end-to-end encryption?
Secure, end-to-end encryption can help protect against confidentiality breaches (unauthorised or accidental disclosure of, or access to, personal data) and against integrity breaches (unauthorised or accidental alteration of personal data). However, it does not help in case of an availability breach, where there is an accidental or unauthorised loss of access to, or destruction of, personal data.
What’s the difference between server-side and end-to-end encryption in terms of consequences of a data breach?
In case of a server-side encryption, data is decrypted on the servers and hence could be obtained by hackers in an intelligible way. However, if data is end-to-end encrypted, even if the servers are breached, personal data can only be obtained in an unintelligible way. In this case, a confidentiality breach may not need to be notified to the supervisory authority nor to the data subjects as it is unlikely to result in a risk to people’s rights and freedoms.
How do you define strong encryption? How can I know hackers can’t decrypt data obtained from our cloud service provider?
First, you need to check what type of encryption your cloud provider is using. In case of server-side encryption, the provider has the key and can decrypt the information on its server. In this case, if the cloud provider loses control of the key, then you have a problem. However, in the case of end-to-end encryption, information gets to the cloud in an encrypted form and only you, who have the key, and those who you decide to share it with can access it. In this case, if the cloud is breached only the encrypted information can leak, hence, you don’t need to notify the authorities or your customers.
As to whether the encryption is strong, there are standardization bodies which keep track of which the latest strong encryption is. Currently, AES-256 is considered as strong encryption. But it is important to know that this is just one single piece of algorithm inside a larger algorithm suite. You also need to make sure the key is strong enough, managed securely, and generated with cryptographically secure algorithms. You should ask your cloud provider what encryption they are using and why they think it’s secure.
At Tresorit, we use zero knowledge, end-to-end encryption, and are continuously looking at the latest algorithms and implement them in the most secure way. For more info on our encryption, see here.
Does my company need to sign a Data Processing Agreement (DPA) with all the online services we use to send and store personal data (email, cloud, CRM,..)? What about free cloud services we use to store our documents, will that be compliant under GDPR?
Whenever you entrust a third party to process personal data on your behalf, they act as a processor or sub-processor. Therefore, you need to have a DPA in place. Usually cloud providers that offer accounts for free do not provide DPAs. You have to check whether the free tools available are also GDPR compliant as you might be liable if there is any unlawful processing on their side. If the service does provide a DPA, you have to check what it contains and make sure it’s compliant with the obligations you have undertaken in respect of the data subjects whose personal data you process.
At Tresorit, we sign DPAs with our subscribed business customers in respect of the personal data that they share with us in an intelligible form.
Who is eligible to provide the confirmation that a company is GDPR compliant? There is a certification body for ISO standardization, is there a body, process, or certificate to confirm GDPR compliance?
Before the 25th of May, there is no certification on the market that would have been approved by the Article 29 Working Party yet. This is key to keep in mind as there are players on the market who are selling certifications already now. However, as far as we are aware, there are some organizations that are working on the setting up a code of conduct and a certification scheme. Maybe towards the end of the year, there will be certifications available.
Available security management certifications on the market such as ISO 271001 certification is important for GDPR, but it’s not enough. A company that is ISO 271001 certified is on the right track for GDPR compliance, but more needs to be done to fulfill the legal requirements.
As a small company, how shall we assign the role of the data protection officer (DPO)? Can the CEO be the DPO?
You need to evaluate first whether your company needs a DPO. DPO is needed for example when the core activity of the organization is about processing personal, sensitive data (health, judicial data) at large scale. DPO is also needed if the core activity is about monitoring the behavior of data subjects (companies active in online behavioral advertising for example). If you fall under one of these cases, the requirements are the same for any business be it small or large.
The officer must have two key competences: IT and legal. The DPO’s responsibilities has to be undertaken by one person, but you can create a team to support the work of the DPO. For example, you can choose an IT compliance person to work together with a privacy lawyer. If you don’t find the right person inside your organization, you can also outsource this activity. However, choosing your CEO to assume this role is not an option as it is likely to constitutes a conflict of interest. The DPO cannot be somebody who is taking decisions on behalf of the company with respect to the data processing activities.
The materials available on this website are for informational purposes only and does not constitute legal advice. To obtain advice with respect to a particular issue, you should contact your attorney.