Does the GDPR differentiate between different methods of encryption?
The GDPR refers to encryption in several provisions; however, it does not specifically indicate which algorithm (e.g., AES 256bit) and its application (e.g., at-rest, in-transit, or end-to-end). While it does not explicitly talks about encryption methods, the way encryption keys are stored is an important to decide whether re-identification of encrypted data is possible with reasonable efforts. With in-transit & at-rest encryption, the cloud provider has access to the encryption keys, while with end-to-end encryption, the keys are stored at the user only. Because of this, in case of a data breach, re-identification of end-to-end encrypted data with reasonable efforts is infeasible. This way, end-to-end encryption with client-side key management represents a stronger protection for the personal data.
What are the advantages of using end-to-end encrypted cloud services?
If a data controller uses an end-to-end encrypted service as processor, the related personal data ‘stays within their company walls’. Therefore, end-to-end encryption has substantial advantages that helps controllers better protect data, making compliance process easier and cost reducing. The data controller will result in compliance with Article 32 GDPR. Secondly, if a strong encryption mechanism is implemented and the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, the data controller will likely be exempted from notifying the data breach to the supervisory authority and communicating it to the affected data subjects pursuant to Articles 33 and 34 GDPR. Moreover, except the duties of assistance to the controller pursuant to Article 28 GDPR, the processor will likely fall out of the audit scope in case the controller is audited, making compliance and audit process simpler for the controller.
- Protect the personal data of employees, customers, partners, and users. Increase trust for your service and organization by complying with the regulation and using the strongest data protection technology recommended in the text of the law.
- Keep your personal data within company walls. When using encryption, especially end-to-end encryption for managing data in the cloud, your organization’s personal data stays within company walls. Your encrypted cloud-based processor does not technically process personal data, they only manage the encrypted, unintelligible datasets. Even in case of a data breach, encrypted data is not in danger. This can simplify your compliance processes and save you time for working on other GDPR-related requirements. For example, if you’re audited for compliance, your encrypted cloud service might fall out of your audit’s specific scope.
- Reduce your liability in case of a data breach. If you apply encryption, especially end-to-end encryption, you are using an appropriate safeguard highlighted by the GDPR. This can reduce your liability when an event it of data exposure.
- Save costs of data breach notifications and potentially fines. When using encryption, your organization is not obliged to notify your customers or users on data breaches.
Other measures to protect data
What is data minimization?
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Data minimization means that an organization should only process the personal data that it needs to process in order to achieve its processing purposes. In practice, this requires organizations to reduce the collection of personal data to the strictly necessary and to implement permission and access control protocols and tools limiting access to information only to those people who need it within the organization.
How does pseudonymisation protect data?
Pseudonymization is a novel concept in data protection, encouraged by the GDPR. It is a technique of processing personal data so that it can no longer be attributed to a specific individual without the use of additional information, which must be kept separately and be subject to technical and organizational measures to ensure non-attribution. Pseudonymous data, together with other security measures such as encryption, reduces the likelihood of identifying individuals, for example in case of a data breach or leak. Pseudonymised information is still considered personal data, but the use of pseudonymisation is encouraged, since it is, among of, a technique which may satisfy requirements to implement “data protection by design and by default”; and it may contribute to meeting the GDPR’s data security obligations.
Is properly end-to-end encrypted data still personal data?
Data controller’s end-to-end encrypted documents, such as a spreadsheet with employee details stored with Tresorit, may contain personal data. As the data controller has the encryption key to decrypt the files, they can re-identify the person the data belongs to. However, from the perspective of the end-to-end encrypted and in particular for data processors like Tresorit, this spreadsheet does not contain any personal data because Tresorit, as service provider, does not have the decryption keys to the files, thus is unable to re-identify the persons. Because of this, using end-to-end encrypted service providers may contribute to the security of processing operation done by controllers, as well as to providers acting as data processors on behalf of them. For example, if encryption algorithm is particularly strong, data controllers will likely be exempted from notifying a personal data breach to the supervisory authority and communicating it to the affected data subjects pursuant to Articles 33 and 34 GDPR.
What is the difference between encrypted data and anonymous data?
While encryption is one of the “appropriate technical and organizational measures” to protect data according to Article 32 GDPR, anonymous data is any data that does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. In other words, encryption relates to security of personal data whilst anonymization refers to permanent de-identification. The GDPR applies to encrypted data but it does not apply to anonymized data.