GDPR (General Data Protection Regulation) Compliance Requirements

What is the General Data Protection Regulation (GDPR) & How to Comply? Overview

The General Data Protection Regulation (GDPR) is a comprehensive regulation that unifies data protection laws across all European Union member states. It defines an extended set of rights for European Union citizens and residents regarding their personal data. Consequently, it describes strict requirements for companies and organizations on collecting, storing, processing and managing personal data. Businesses have little time and a lot of challenges to comply with the requirements, as they have to adopt their existing processes and services they use to collect and handle the personally identifiable data of their employees and customers.

“The GDPR will change not only the European data protection laws but nothing less than the world as we know it.”

– Jan Philipp Albrecht, MEP, EU rapporteur on GDPR

Requirements of the GDPR regarding the protection of personal data

The GDPR requires companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against data loss or exposure. Article 5. of the GDPR summarizes the most important principles and requirements regarding the management of personal data:

  • Lawfulness, fairness, and transparency: personal data should be processed in a lawful, fair and transparent manner
  • Limited purpose: personal data should be collected for specified, explicit and legitimate purposes and not further processed in a way not compatible with those purposes
  • Data minimization: the collection of personal data should be limited and data collected must be relevant to accomplish a specific purpose
  • Accuracy: personal data stored and managed should be accurate and, where necessary, kept up to date
  • Storage limitation: personal data shouldn’t be kept for longer than is necessary for the purposes for which such personal data is processed
  • Confidentiality and integrity: personal data should be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures
GDPR Compliance free eBook

GDPR Cloud Security Guide: 5 Key Things to Consider when Choosing Cloud Storage for your Business

Interested in learning more about getting your cloud-based file storage & sync ready for the GDPR? This free eBook from the cloud encryption company, Tresorit, helps you explore what the General Data Protection Regulation (GDPR) is, what are its requirements for processing personal data in the cloud and what key aspects businesses should to look into when choosing cloud storage services.

In this free GDPR Compliance Guide, you'll learn:

  • What is the GDPR (General Data Protection Regulation) and how to comply with its requirements on managing personal data?
  • What are the main challenges of using cloud-based services?
  • What are the 5 key technology and legal requirements cloud storage services should meet to help you ensure GPDR compliance?
  • How do major cloud storage services Box, Dropbox, OneDrive, and Tresorit compare in terms of GDPR compliance?
Get the free GDPR eBook

Introduction: why the GDPR matters for your business

Cloud security for businesses
Webinar

5 key steps for SMBs to GDPR compliance

Learn how to locate, identify, and protect personal data in your company before the GDPR deadline. Watch now

Who is affected by the GDPR?

The GDPR has a broad territorial scope. It applies not only to all organizations established in the EU that handles personal data but also to any non-EU established organization that processes personal data of individuals who are in the EU in order to: a. Offer them goods or services, irrespective of whether a payment is required; b. Monitor their behavior within the EU. The GDPR aims to protect personal data at all stages of data processing and it identifies two different entities that both have obligations: data controllers and data processors.

What are data controllers and data processors?

A data controller is an entity that determines the purposes, conditions, and means of the processing of personal data. For example, educational and research private and public institutions, healthcare services, or any business that manages the personal data of their employees and customers. On the other hand, a data processor processes personal data on behalf of the controller, such as a cloud provider (for example a Software-as-a-Service like CRM software). It is important, that a company can act both as a controller and processor, depending on the exact type and usage of data.

When is the GDPR coming to effect?

The GDPR entered into force on 24 May 2016 and it will directly apply in all EU Member States starting on 25 May 2018. Organizations have less than a year to prepare for compliance.

What are the sanctions and liabilities if a company doesn’t comply?

Data controllers and data processors face severe consequences if they do not comply with the European rules. Depending on the infringed provision of the GDPR, fines may amount to a maximum of EUR 20 million, or, 4% of the global annual turnover of the controller, whichever is more significant. Moreover, both controller and processors are subject to joint liability for damages.

What is considered as personal data under the GDPR?

What is personal data?

Personal data is any information relating to an identified or identifiable natural person (‘data subject’); such as a name, identification number, location data, an online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Organizations should take measures to minimize the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.

What is sensitive data?

Sensitive data is a special sub-category of personal data which holds extra consideration and protection in GDPR as they may give rise to strong stigmatization or discrimination in society. Sensitive data are personal data is that reveal any racial or ethnic origin, financial status, political opinion, philosophical belief, religion, trade-union membership, sexual orientation, concerns health or sex life, genetic data, or biometric data.

Are data controllers responsible for the personal data managed by data processors?

Yes, data controllers are responsible for protecting personal data whenever they use third-party services (data processors) to manage data in the cloud, and therefore should use services that provide the highest protection. With the GDPR, all data processing must have a lawful basis, such as explicit consent from the persons (“data subject”). Data controllers must further process data with third-party processors by protecting data in a compatible way with the original legal basis and applying safeguards like encryption.

“The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymisation and encryption of personal data”

– GDPR Article 32. Security of Processing

Getting ready for the GDPR with end-to-end encryption

How does encryption help with protecting data and compliance?

Encryption is underlined as an example of “appropriate technical and organizational measures” and an appropriate safeguard to protect data. The GDPR states that if the controller has implemented encryption to its personal data, in case of a data breach, affected personal data are likely unintelligible to those not authorized to access it. Hence, such data breach is unlikely to result in a risk to the rights and freedoms of affected natural persons. The result is that the controller may not be required to communicate the data breach to affected data subjects, under Article 34 GDPR. All in all, encryption reduces the risks of processing data in the cloud, as it reasonably makes re-identification of leaked personal data impossible with the right measures. The stronger the encryption algorithm is, the more it may reduce the liability of data controllers.

“The GDPR makes personal data protection a top priority for any organisation. Using robust end-to-end encryption to safeguard personal data is both a responsible choice and a key step towards compliance.”

– Paolo Balboni, Ph.D., Founding Partner of ICT Legal Consulting and President of the European Privacy Association

Does the GDPR differentiate between different methods of encryption?

The GDPR refers to encryption in several provisions; however, it does not specifically indicate which algorithm (e.g., AES 256bit) or application (e.g., at-rest, in-transit, or end-to-end). While it does not explicitly talk about encryption methods, the way encryption keys are stored is an important to decide whether re-identification of encrypted data is possible with reasonable efforts. With in-transit & at-rest encryption, the cloud provider has access to the encryption keys, while with end-to-end encryption, the keys are stored at the user side only. Because of this, in case of a data breach, re-identification of end-to-end encrypted data with the correct efforts is infeasible. End-to-end encryption with client-side key management represents stronger protection for the personal data.

What are the advantages of using end-to-end encrypted cloud services?

Securing the cloud
Webinar

Securing the cloud

Learn the main data protection principles and impacts of the GDPR from legal and technology experts. Register now

If a data controller uses an end-to-end encrypted service as the processor, the related personal data ‘stays within their company walls’. Therefore, end-to-end encryption has substantial advantages that help controllers better protect data, making the compliance process easier and less costly. Also, meeting these requirements, the data controller will result in compliance with Article 32 GDPR. Secondly, if a strong encryption mechanism is implemented, data breach is unlikely to result in a risk to the rights and freedoms of natural persons which in turn will exempt the data controller from notifying the data breach to the supervisory authority and communicating it to the affected data subjects under to Articles 33 and 34 GDPR. Moreover, except for the duties of assistance to the controller under Article 28 GDPR, the processor will likely fall out of the audit scope in case the controller is audited, making the compliance and audit process simpler for the controller.

  • Protect the personal data of employees, customers, partners, and users. Increase trust for your service and organization by complying with the regulation and using the strongest data protection technology recommended in the text of the law.
  • Keep your personal data within company walls. When using encryption, especially end-to-end encryption for managing data in the cloud, your organization’s personal data stays within company walls. Your encrypted cloud-based processor does not technically process personal data, they only manage the encrypted, unintelligible datasets. Even in case of a data breach, encrypted data is not in danger. This can simplify your compliance processes and save you time for working on other GDPR-related requirements. For example, if you’re audited for compliance, your encrypted cloud service might fall out of your audit’s specific scope.
  • Reduce your liability in case of a data breach. If you apply encryption, especially end-to-end encryption, you are using an appropriate safeguard highlighted by the GDPR. This can reduce your liability in the event of data exposure.
  • Save the costs of data breach notifications and potential fines. When using encryption, your organization is not obliged to notify your customers or users on data breaches.

Other measures to protect data

What is data minimization?

Personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. Data minimization means that an organization should only process the personal data that it needs to process in order to achieve its processing purposes. In practice, this requires organizations to reduce the collection of personal data to the strictly necessary and to implement permission and access control protocols and tools limiting access to information only to the people who need it within the organization.

How does pseudonymisation protect data?

Pseudonymization is a novel concept in data protection, encouraged by the GDPR. It is a technique of processing personal data in a way that it can no longer be attributed to a specific individual without the use of additional information which must be kept separately and be subject to technical and organizational measures to ensure non-attribution. Pseudonymous data, together with other security measures such as encryption, reduces the likelihood of identifying individuals, for example in case of a data breach or leak. Pseudonymised information is still considered personal data, but the use of pseudonymisation is encouraged since it is a technique which may satisfy requirements to implement “data protection by design and by default”; and it may contribute to meeting the GDPR’s data security obligations.

Is properly end-to-end encrypted data still personal data?

Data controller’s end-to-end encrypted documents, such as a spreadsheet with employee details stored with Tresorit, may contain personal data. As the data controller has the encryption key to decrypt the files, they can re-identify the person the data belongs to. However, from the perspective of the end-to-end encrypted and in particular for data processors like Tresorit, this spreadsheet does not contain any personal data because Tresorit, as the service provider, does not have the decryption keys to the files, thus is unable to re-identify the persons. Because of this, using end-to-end encrypted service providers may contribute to the security of processing operations done by controllers, as well as to providers acting as data processors on behalf of them. For example, if the encryption algorithm is particularly strong, data controllers will likely be exempted from notifying a personal data breach to the supervisory authority and communicating it to the affected data subjects under Articles 33 and 34 GDPR.

What is the difference between encrypted data and anonymous data?

While encryption is one of the “appropriate technical and organizational measures” to protect data according to Article 32 GDPR, anonymous data is any data that does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. In other words, encryption relates to the security of personal data while anonymization refers to permanent de-identification. The GDPR applies to encrypted data but, it does not apply to anonymized data.

Learn more about GDPR and cloud security