The GDPR Deadline is Almost Here
How Ready Are You?
Test your knowledge and prepare with the help of our free whitepaper about GDPR & encryption!
Test your knowledge and prepare with the help of our free whitepaper about GDPR & encryption!
This report provides you an overview about the answers and a feedback related to them.We hope that this summary will help you to get ready for the GDPR with end-to-end encryption. It also highlights some suggestions in terms of the regulation and technology of encryption and compliance.
Straggler Budding Padawan Hotshot 0
This report will provide you an overview about the regulation and technology of encryption and compliance
Please complete the form below and we will send you the full summary about your answers and some suggestions to get ready for the GDPR with end-to-end encryption.
Regardless of its size, any company will have to comply with the GDPR. The new data protection regulation will also apply to small businesses, with less than 250 employees if they manage personal data.
Start getting ready for the GDPR, regardless of your company size. Even if your organization is small, implementing data protection measures take time. If you work at a larger company, get better informed about current data protection policies and see how these correlate with the stricter requirements introduced by the GDPR.
Don't suppose that data breaches only happen at larger organizations. SMBs are especially valuable targets for hackers, as they manage lots of confidential information but might have less resources for cybersecurity and data protection. Also, internal breaches caused by employees either by accident or intentionally, are common at all kinds of companies.
This means you should handle the data of your customers, users or staff with utmost care.
Are you sure? The GDPR expands the definition of personal data and under certain circumstances even e.g. online identifiers may qualify as personal data. It can seem you do not work with personal data regularly at the moment. However, you can still manage business data that can be categorized as confidential. Do not forget to choose the most secure way to manage this in order to protect your business.
If you have no idea what kind of data your company works with, it is high time to start data classification and get information about that. Check our webinar on this topic.
Here are some examples of personal data:
You should handle the personal data of your customers and staff with particular consideration. First, classify all data your business teams manage and then identify the riskiest areas and business processes where personal data is managed.
Don't miss the careful re-assessment of your data classification processes. There's much more data items that can fall into the category of personal data than you would think at first sight.
GDPR compliance is complex when you use public cloud-based solutions. Their advantage is that they include many built-in, difficult to implement security and compliance tools and are scalable for business needs. However, depending on their encryption methods, they may store your encryption keys in an accessible way, risking the security of your data and taking away your control. Besides, the data you manage and store with them should enjoy the same level of protection at all stages of processing and it should be handled in accordance with the conditions the data subject has been informed of. The public cloud can be a challenge also because of data residency issues: it isn't always exactly clear where the data is.
On-premises and hybrid solutions: These solutions provide you more control over your encryption keys and data, however, these infrastructures are far more complicated to set up and maintain in a secure way.
Identify how and where you store your data managed by each business processes. Make sure that the encryption keys are under your control in every circumstances.
Do not ignore encryption and data protection even if you don't exactly know, where your collected data is stored. Choose the most secure cloud computing technology and on-premises data storage.
Well done, you are a big step closer to GDPR compliance.
That's good but make sure to get your business prepared until May 25, 2018. The GDPR will apply in all EU countries from that date.
That doesn't sound that great. In order to get GDPR compliant, it is highly recommended to use strong security measures. One of the best ways to be sure that your store, share and process data securely is to use encrpyted solutions.
Why encryption helps GDPR compliance:
Choose security measures recommended by the GDPR such as encryption, anonymisation or pseudonymisation in order to comply with the regulation, protect the personal data you manage and avoid fines in case of a data breach.
Do not miss to set up internal data protection policies. It is not enough to apply secure methods, you also have to keep track of your processing activities so that, in case of an audit, you can prove that you are using them lawfully.
The final responsibility lays at the data controller. However, for the first time, organizations that process the personal data of other companies in the course of providing a service (such as cloud providers or website hosts) will also have direct liability for breaches of the GDPR, including the risk of being fined. You as a processor also need to conclude a Data Processing Agreement with the data controller in which you agree on the conditions of data processing.
As a data controller, you are responsible for the security of the stored data. Make sure to do a due diligence on data processors and third-party services. Check whether they comply with the GDPR or when they are coming from a non-EU country whether they are certified under Privacy Shield or provide data protection model clauses. Conclude Data Processing Agreements. Consider to switch to encrypted services where possible.
Here are some examples of third-party data processor services that have quite big influence on a controller's GDPR compliance. If you use any of them you should be sure that all the data stored by them in a secured way. Remember, that a company can be considered both as a controller and processor at the same time, depending on the data they manage.
Here are some examples for services that are data processors:
Be sure that the cloud solution used by your company meets the requirements of the GDPR (or can prove an equivalent protection either by certifying for Privacy Shield or offering model clauses) and uses secure technologies such as encryption, especially end-to-end encryption. Always conclude a Data Processing Agreement before you engage a service provider.
Do not use providers that are not transparent about how they manage data.
Great, having clear and concise privacy notice provided to clients and employees is a requirement to be GDPR compliant. The GDPR encourages Privacy by Design, this means all processes need to be organized with taking privacy into consideration.
From 25 May 2018, the GDPR will be applied in all EU countries data subjects will need to be provided with privacy notices. You should provide straightforward information on how you manage and secure this data.
You should provide straightforward information on how you manage and secure personal data of your customers, staff and users.
Why it is important to handle personal data with encrpytion:
Under the GDPR, your organization as a data controller is responsible for protecting all personal data you manage throughout its lifecycle, from collecting to forwarding, while managing that with cloud-based services.
The GDPR highlights encryption as one of the appropriate technical organizational and technical measures to ensure data protection.
Inform your clients and employees about the processing of their data when you collect their personal data and manage their data in an encrypted way.
Do not miss to inform your clients and employees about processing of their data and do not process these data insecurely.
Perfect. The data of your clients are stored securely and it means that you are a step ahead to reach GDPR compliance.
The GDPR highlights encryption but doesn't specify the method used, i.e. channel & at-rest encryption vs end-to-end encryption. However, it is crucial to manage encryption keys separately to minimize the risk of the reidentification of personal data in case of a data leak. End-to-end encryption is the best method for ensuring this.
Types of encryption to process personal data:
With channel & at-rest encryption, the cloud provider has access to the encryption keys and the server stores the data in an unencrypted format as well. Thus, in case of a breach, re-identification of the persons from the leaked dataset is technically possible.
With end-to-end encryption, the cloud provider doesn’t have access to encryption keys. The server stores the encryption keys and user contents only in an encrypted format. This way, end-to-end encrypted cloud service providers like Tresorit can never access the contents of user files. The re-identification of persons from the end-to-end encrypted data is infeasible, even in case of a server-side data breach.
Make sure your clients are able to share their data with the most secure process by using end-to-end encrypted cloud services.
Do not ignore the importance of encrypted file and data sharing as using it helps you protect your data from exposure in case of a breach and this save you breach notification and related costs.
The GDPR will apply to all companies who do business within European Union member states by offering goods or services to EU residents or monitor their behavior within the EU, regardless of where they are established. Companies all over the world, irrespective of where they are based, will have to comply with the legislation’s laws on how user data about EU residents is processed, gathered, and stored. For example, this means that a US company has to comply as well, in case they operate in the EU too and manage the personal of data subjects in the EU.
Store your data securely, regardless whether your business is located outside the EU or within the EU. Identify whose data you manage: even if your core business takes place outside of the EU, you might have EU-based suppliers, customers or partners. If yes, you already fall under GDPR as you manage their personal data (email address, name, etc). If you store or collect data that is coming from EU residents, you should be GDPR compliant.
If your company is located outside the EU, this doesn't mean you can ignore EU data protection requirements or regulations. Never manage personal data in an unsecure manner just because your core business takes place outside of EU. Even if your core business takes place outside of the EU, you might have EU-based suppliers, customers or partners. If yes, you already fall under GDPR as you probably manage their personal data (email address, name, etc).
Great! You are well informed and do what is required based on the role of DPO-s.
You should be aware and consider the following:
DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large scale processing of sensitive personal data. If the organization doesn’t fall into one of these categories, then it does not need to appoint a DPO.
If you are a member one of above mentioned organizations, you need to appoint a DPO as soon as possible.
Do not forget to check what kind of personal data do you work with and do not miss to designate a DPO if you are working with sensitive data.
Under the GDPR, individuals have a right to have personal data erased and to prevent processing in specific circumstances ("right to be forgotten"). For example, personal data must be deleted when it is no longer necessary in relation to the purpose for which it was originally collected/processed. Regardless of whether the information is stored in a large enterprise management system or an office filing cabinet, businesses must be able to prove that their customers or users have the option to ask this and if they do, that every record of an individual's data has been completely wiped.
There are some other types of enterprise softwares categorized by business function:
Always be aware the security practices of the enterprise system used by your company. Make sure that the stored and shared data by them is encrypted. Learn about their data retention policies to see if they can comply with the right to be forgotten requirements if an individual asks for a deletion of their data.
Do not work with insecure service providers as you should also take responsibility for the way they manage data.
You should keep in mind the following: Encryption keeps personal data secure from third party access. In case of a data breach or leak, encryption, and especially end-to-end encryption, makes the re-identification of persons from the leaked datasets impossible with reasonable efforts. Consider revising. E.g. "As a result, incidents may not be considered data breaches thus you will likely not be required to notify your customers and can avoid paying the associated costs and fines.
Pay attention to switch to end-to end encrypted providers where you can in order to avoid fines and keep personal data secure.
Do not use services that are unclear about their encryption technologies.
Popular cloud-based services such as Dropbox, Box or OneDrive usually employ server-side encryption. This means that any data you store on their servers is encrypted using a master key to which the server administrators have access.
End-to-end encrypted cloud: end-to-end encryption technology secures your files on your device with some of the highest-grade encryption methods available. The provider never sees your encryption key, as it never leaves your device in an unencrypted format. This means that your files can't be decrypted in the cloud. This is stronger protection for personal data against possible exposure by data breaches, making GDPR compliance easier for your business.
Popular cloud-based services such as Dropbox, Box or OneDrive usually employ server-side encryption. This means that any data you store on their servers is encrypted using a master key to which the server administrators have access. So we suggest to use end-to-end encryption technology. It secures your files on your device with some of the highest-grade encryption methods available. The provider never sees your encryption key, as it never leaves your device in an unencrypted format. This means that your files can't be decrypted in the cloud. This is stronger protection for personal data against possible exposure by data breaches, making GDPR compliance easier for your business.
Choose end-to-end encrypted cloud-based services where your encryptions keys and so your data stay under your control.
It is not recommended to use cloud services with only server-side encryption because that way your data can be decrypted in the cloud.
Super! It is highly recommended to do audits and internal reviews before the GDPR comes into force.
The GDPR requires organizations to implement reasonable data protection measures to protect the personal data of consumers and employees against data loss or exposure. It is highly recommended to set up audits or internal reviews to be sure that you have these in place and your staff is ware of them.
Organize a security audit or internal review before the GDPR comes into force.
Don't miss creating internal data protection procedures as soon as possible.