Simplify your GDPR compliance with end-to-end encryption

The GDPR is a game-changer in data protection. Use your compliance process as an opportunity to improve the data security of your staff and customers. Discover how encryption helps you in this.

Why GDPR matters to your business

  • Applicable from May 25, 2018

  • Fines up to 4% of global revenue

  • Applies to every company doing business in the EU

  • Chance to enhance consumer trust

Make the cloud GDPR-friendly

Cloud-based applications make your life more convenient. They could create risks for your data, though. Under the GDPR, you as a data controller are responsible for protecting all personal data you manage throughout its processing lifecycle. With encryption, syncing & sharing your data conveniently in the cloud while being compliant with the new law is easy.

  • Choose the best safeguard for your data

    The GDPR highlights encryption as an appropriate technical measure to keep your data secure. This makes encryption the new standard of data protection.

  • Render personal data non-readable

    With proper end-to-end encryption, you minimize the risk of data exposure to third-party services and hackers: re-identification of persons from the leaked encrypted data is infeasible.

  • Minimize data with encryption & access management

    The GDPR obliges you to minimize the personal data you store and handle. Access control, encryption, and client-side key management help you maintain full ownership of who is seeing what in your organization.

“The GDPR makes personal data protection a top priority for any organisation. Using robust end-to-end encryption to safeguard personal data is both a responsible choice and a key step towards compliance.”

Paolo Balboni

Paolo Balboni, Ph.D., Founding Partner of ICT Legal Consulting and President of the European Privacy Association

Switch to end-to-end encryption for the highest level of data protection

With end-to-end encryption, your encryption keys that unlock your data are stored on the client side, on your device. Unlike in-transit or at-rest encryption, only you and those who you share with have access to the data. This technology ensures the highest protection for personal data from third party access.

Learn more about Tresorit security >>

Encryption helps your business towards compliance

The GDPR is a comprehensive regulation. Encryption is no silver bullet to solve all challenges, but it helps in many aspects.

  • Keep personal data within company walls

    Enjoy the convenience of collaborating in the cloud, while protecting personal data as if it were on-site. With end-to-end encryption only you have access to the keys and personal data belonging to your customers and employees never leaves your devices.

  • Minimize the risks of data breach & exposure

    Using encryption reduces the liability of data controllers.When using encryption, you don’t have to communicate about data breaches to the data subjects, saving costs and efforts.

  • Ensure data consent compatibility

    All data processing should have a legal basis which most of the time means getting the explicit consent of the user. If you use end-to-end encryption to protect personal data, processing it in the cloud is simpler.

  • Make audit processes easier

    If you’re audited for compliance, your encrypted cloud service might fall out of the audit scope. This makes the process less of a hassle.

Whitepaper

Interested in learning more on getting ready for the GDPR with end-to-end encryption?

Download our whitepaper

GDPR & Encryption FAQ

  • What is the GDPR?

    The General Data Protection Regulation (GDPR) is a comprehensive set of data protection rules. The aim of the legislation is to provide the same high level of data protection for EU residents in all EU countries with a unified legal framework across all member states. In contrast to the previous legislation, which was only a directive to be adopted by national legislation to be effective, the GDPR is immediately binding for and applicable in all European member states. The GDPR requires companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against data loss or exposure.

  • When is it coming to effect?

    The GDPR entered into force on 24 May 2016 and it will directly apply in all EU Member States from 25 May 2018. Organizations have less than a year to prepare for compliance.

  • Who is affected by the GDPR?

    The GDPR has a broad territorial scope. It applies not only to all organizations established in the EU that process personal data, but also to any non-EU established organization that process personal data of individuals who are in the EU in order to: a. offer them goods or services, irrespective of whether a payment is required; b. monitor their behavior within the EU.

  • What is personal data?

    Personal data is any information relating to an identified or identifiable natural person (‘data subject’); such as a name, an identification number, location data, an online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Organizations should take measures to minimize the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.

  • How does the GDPR affect organizations who store and share personal data with cloud-based services?

    The GDPR’s aim is to protect personal data at all stages of data processing. The GDPR identifies two different entities that both have obligations: data controllers and data processors. A controller is the entity that determines the purposes, conditions and means of the processing of personal data. For example, educational and research private and public institutions, healthcare services, or any business that manages the personal data of their employees and customers. A data processor is an entity which processes personal data on behalf of the controller, such as a cloud provider (for example a Software-as-a-Service like CRM software).

  • Are data controllers responsible for their data managed by data processors?

    Yes, data controllers are responsible to protect personal data whenever they use third-party services (data processors) to manage data in the cloud, and therefore should use services that provide the highest protection. With the GDPR, all data processing must have a lawful basis, such as explicit consent from the persons (“data subject”). Data controllers must further process data with third-party processors by protecting data in a compatible way with the original legal basis and applying safeguards like encryption.

  • What security measures does the GDPR recommend to protect data?

    The GDPR prescribes that controller and processor must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including for instance the pseudonymization and encryption of personal data, Moreover, the GDPR highlights the principles of Data Protection by Design, which means organizations must develop data protection processes and products with privacy in mind from the ground up, and Data Protection by Default which ensures that only personal data that are necessary for each specific purpose of the processing are processed.

  • How does pseudonymisation protect data?

    Pseudonymization is a novel concept in data protection, encouraged by the GDPR. It is a technique of processing personal data so that it can no longer be attributed to a specific individual without the use of additional information, which must be kept separately and be subject to technical and organizational measures to ensure non-attribution. Pseudonymous data, together with other security measures such as encryption, reduces the likelihood of identifying individuals, for example in case of a data breach or leak. Pseudonymised information is still considered personal data, but the use of pseudonymisation is encouraged, since it is, among of, a technique which may satisfy requirements to implement “data protection by design and by default”; and it may contribute to meeting the GDPR’s data security obligations.

  • Is properly end-to-end encrypted data still personal data?

    Data controller’s end-to-end encrypted documents, such as a spreadsheet with employee details stored with Tresorit, may contain personal data. As the data controller has the encryption key to decrypt the files, they can re-identify the person the data belongs to. However, from the perspective of the end-to-end encrypted and in particular for data processors like Tresorit, this spreadsheet does not contain any personal data because Tresorit, as service provider, does not have the decryption keys to the files, thus is unable to re-identify the persons. Because of this, using end-to-end encrypted service providers may contribute to the security of processing operation done by controllers, as well as to providers acting as data processors on behalf of them. For example, if encryption algorithm is particularly strong, data controllers will likely be exempted from notifying a personal data breach to the supervisory authority and communicating it to the affected data subjects pursuant to Articles 33 and 34 GDPR.

  • What is the difference between encrypted data and anonymous data?

    While encryption is one of the “appropriate technical and organizational measures” to protect data according to Article 32 GDPR, anonymous data is any data that does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. In other words, encryption relates to security of personal data whilst anonymization refers to permanent de-identification. The GDPR applies to encrypted data but it does not apply to anonymized data.

  • How does encryption help with protecting data and compliance?

    Encryption is underlined as an example of “appropriate technical and organisational measures” and an appropriate safeguard to protect data. The GDPR states that if the controller has implemented encryption to its personal data, in case of personal data breach, affected personal data are likely be unintelligible to any person who is not authorised to access it. Hence, such data breach is unlikely to result in a risk to the rights and freedoms of affected natural persons. The result is that the controller may not be required to communicate the data breach to affected data subjects, pursuant to Article 34 GDPR. All in all, encryption reduces the risks of processing data in the cloud, as it reasonably makes re-identification of leaked personal data impossible with reasonable measures. The more the encryption algorithm is strong, the more it may reduce the liability of data controllers.

  • Does the GDPR differentiate between different methods of encryption?

    The GDPR refers to encryption in several provisions; however, it does not specifically indicate which algorithm (e.g., AES 256bit) and its application (e.g., at-rest, in-transit, or end-to-end). While it does not explicitly talks about encryption methods, the way encryption keys are stored is an important to decide whether re-identification of encrypted data is possible with reasonable efforts. With in-transit & at-rest encryption, the cloud provider has access to the encryption keys, while with end-to-end encryption, the keys are stored at the user only. Because of this, in case of a data breach, re-identification of end-to-end encrypted data with reasonable efforts is infeasible. This way, end-to-end encryption with client-side key management represents a stronger protection for the personal data.

  • What are the advantages of using end-to-end encrypted cloud services?

    If a data controller uses an end-to-end encrypted service as processor, the related personal data ‘stays within their company walls’. Therefore, end-to-end encryption has substantial advantages that helps controllers better protect data, making compliance process easier and cost reducing. The data controller will result in compliance with Article 32 GDPR. Secondly, if a strong encryption mechanism is implemented and the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, the data controller will likely be exempted from notifying the data breach to the supervisory authority and communicating it to the affected data subjects pursuant to Articles 33 and 34 GDPR. Moreover, except the duties of assistance to the controller pursuant to Article 28 GDPR, the processor will likely fall out of the audit scope in case the controller is audited, making compliance and audit process simpler for the controller.

  • What is data minimization?

    Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Data minimization means that an organization should only process the personal data that it needs to process in order to achieve its processing purposes. In practice, this requires organizations to reduce the collection of personal data to the strictly necessary and to implement permission and access control protocols and tools limiting access to information only to those people who need it within the organization.

  • What are the sanctions and liabilities if a company doesn’t comply?

    Data controllers and data processors face severe consequences if they do not comply with the European rules. Depending on the infringed provision of the GDPR, fines may amount to a maximum of EUR 20 million, or, 4% of global annual turnover of the controller, whichever is bigger. Moreover, both controller and processors are subject to joint liability for damages.

  • Does a controller have to sign a Data Processing Agreement with the processor in all cases?

    Data controllers shall stipulate an agreement with Tresorit, who is acting as data processor, when they intend to use it for the processing of personal data. Such data processing agreement shall cover all the requirements set forth in Article 28 GDPR, such as the type of personal data processed by the data processor, the duration of the processing activities, the nature and the purposes of the processing, the categories of data subjects and the obligations and rights of the controller. The Terms of Use of a service provider can cover this as well.

Join the companies already using Tresorit for compliance

"We're facing the requirements of GDPR. Tresorit is vital to help us comply with these regulations, protect data from unauthorized access, and still allow us to have access to important information whenever needed.

– Dr. Helmut Mayer, Verein Magnus - Hilfe bei Autismus

"With reports on data breaches in the news on a constant basis and given the confidentiality requirements of our work, encryption removes a very serious concern that arises when considering cloud storage."

– Mark Morgan, Stella's Voice,

"With Tresorit, we know our (client) data is in safe hands. Access from anywhere is easy and reliable."

– Beatrice Wespi, smartwebsites gmbh

Protect your data with Tresorit

“Easy-to-use, secure cloud service” – Peter Aleshkin, Kaspersky Lab