Businesses Individuals

GDPR (General Data Protection Regulation) Compliance Summary

What is the General Data Protection Regulation (GDPR)? Summary

The General Data Protection Regulation (GDPR) is a comprehensive data protection regulation that unifies data protection law across all European Union member states. It defines an extended set of rights for European Union citizens and residents regarding their personal data. Consequently, it describes strict requirements for companies and organizations on collecting, storing, processing and managing personal data. Businesses have little time and a lot of challenges to comply with the requirements, as they have to adopt their existing processes and services they use to collect and handle the personally identifiable data of their employees and customers.

“The GDPR will change not only the European data protection laws but nothing less than the world as we know it.”

– Jan Philipp Albrecht, MEP, EU rapporteur on GDPR

Summary: why the GDPR matters for your business

Who is affected by the GDPR?

The GDPR has a broad territorial scope. It applies not only to all organizations established in the EU that process personal data, but also to any non-EU established organization that process personal data of individuals who are in the EU in order to: a. offer them goods or services, irrespective of whether a payment is required; b. monitor their behavior within the EU. The GDPR’s aim is to protect personal data at all stages of data processing. The GDPR identifies two different entities that both have obligations: data controllers and data processors.

What are data controllers and data processors?

A data controller is the entity that determines the purposes, conditions and means of the processing of personal data. For example, educational and research private and public institutions, healthcare services, or any business that manages the personal data of their employees and customers. A data processor is an entity which processes personal data on behalf of the controller, such as a cloud provider (for example a Software-as-a-Service like CRM software). It is important, that a company can act both as a controller and processor, depending on the exact type and usage of data.

When is the GDPR coming to effect?

The GDPR entered into force on 24 May 2016 and it will directly apply in all EU Member States from 25 May 2018. Organizations have less than a year to prepare for compliance.

What are the sanctions and liabilities if a company doesn’t comply?

Data controllers and data processors face severe consequences if they do not comply with the European rules. Depending on the infringed provision of the GDPR, fines may amount to a maximum of EUR 20 million, or, 4% of global annual turnover of the controller, whichever is bigger. Moreover, both controller and processors are subject to joint liability for damages.

GDPR Compliance free eBook

GDPR Cloud Security Guide: 5 Key Things to Consider when Choosing Cloud Storage for your Business

Interested in learning more about getting your cloud-based file storage & sync ready for the GDPR? This free eBook from the cloud encryption company, Tresorit, helps you explore what the General Data Protection Regulation (GDPR) is, what are its requirements for processing personal data in the cloud and what key aspects businesses should to look into when choosing cloud storage services.

In this free GDPR Compliance Guide, you'll learn:

  • What is the GDPR (General Data Protection Regulation) and what are its requirements for managing personal data in the cloud?
  • What are the main challenges of using cloud-based services?
  • What are the 5 key technology and legal requirements cloud storage services should meet to help you ensure GPDR compliance?
  • How do major cloud storage services Box, Dropbox, OneDrive, and Tresorit compare in terms of GDPR compliance?
Get the free GDPR eBook

Requirements of the GDPR regarding the protection of personal data

The GDPR requires companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against data loss or exposure. Article 5. of the GDPR summarises the most important principles and requirements regarding the management of personal data:

  • Lawfulness, fairness and transparency: personal data should be processed lawfully, fairly and in a transparent manner
  • Limited purpose: personal data should be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • Data minimisation: personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are collected
  • Accuracy: personal data stored and managed should be accurate and, where necessary, kept up to date
  • Storage limitation: personal data should be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  • Confidentiality and integrity: personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

What is considered as personal data under the GDPR?

Cloud security for businesses
Webinar

5 key steps for SMBs to GDPR compliance

Learn how to locate, identify, and protect personal data in your company before the GDPR deadline. Watch now

What is personal data?

In the GDPR, personal data is defined as any information related to an identified or identifiable natural person. For example, if a medical dataset contains the patients’ name, hometown, and medical diagnosis, then a record (or “row”) within this dataset is personal data if the patient who this record is about can be re-identified, meaning that anybody who has access to this dataset is able to associate the record with the patient. In GDPR, personal data can be a name, an identification number, location data, an online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Organizations should take measures to minimize the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.

What is sensitive data?

Sensitive data can be defined as personal data that reveal any racial or ethnic origin, financial status, political opinion, philosophical belief, religion, trade-union membership, sexual orientation, or concerns health and sex life, genetic data, or biometric data. It is a special sub-category of personal data which enjoys extra consideration and protection in GDPR as they may give rise to strong stigmatization or discrimination in society. Many people (falsely) think that GDPR addresses only sensitive data. For GDPR, personal data is any information that is attributable to a specific individual independently of the nature of the information.

Are data controllers responsible for the personal data managed by data processors?

Yes, data controllers are responsible to protect personal data whenever they use third-party services (data processors) to manage data in the cloud, and therefore should use services that provide the highest protection. With the GDPR, all data processing must have a lawful basis, such as explicit consent from the persons (“data subject”). Data controllers must further process data with third-party processors by protecting data in a compatible way with the original legal basis and applying safeguards like encryption.

“The controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymisation and encryption of personal data”

– GDPR Article 32. Security of Processing

Getting ready for the GDPR with end-to-end encryption

How does encryption help with protecting data and compliance?

Encryption is underlined as an example of “appropriate technical and organisational measures” and an appropriate safeguard to protect data. The GDPR states that if the controller has implemented encryption to its personal data, in case of personal data breach, affected personal data are likely be unintelligible to any person who is not authorised to access it. Hence, such data breach is unlikely to result in a risk to the rights and freedoms of affected natural persons. The result is that the controller may not be required to communicate the data breach to affected data subjects, pursuant to Article 34 GDPR. All in all, encryption reduces the risks of processing data in the cloud, as it reasonably makes re-identification of leaked personal data impossible with reasonable measures. The more the encryption algorithm is strong, the more it may reduce the liability of data controllers.

“The GDPR makes personal data protection a top priority for any organisation. Using robust end-to-end encryption to safeguard personal data is both a responsible choice and a key step towards compliance.”

– Paolo Balboni, Ph.D., Founding Partner of ICT Legal Consulting and President of the European Privacy Association

Does the GDPR differentiate between different methods of encryption?

The GDPR refers to encryption in several provisions; however, it does not specifically indicate which algorithm (e.g., AES 256bit) and its application (e.g., at-rest, in-transit, or end-to-end). While it does not explicitly talks about encryption methods, the way encryption keys are stored is an important to decide whether re-identification of encrypted data is possible with reasonable efforts. With in-transit & at-rest encryption, the cloud provider has access to the encryption keys, while with end-to-end encryption, the keys are stored at the user only. Because of this, in case of a data breach, re-identification of end-to-end encrypted data with reasonable efforts is infeasible. This way, end-to-end encryption with client-side key management represents a stronger protection for the personal data.

What are the advantages of using end-to-end encrypted cloud services?

Securing the cloud
Webinar

Securing the cloud

Learn the main data protection principles and impacts of the GDPR from legal and technology experts. Register now

If a data controller uses an end-to-end encrypted service as processor, the related personal data ‘stays within their company walls’. Therefore, end-to-end encryption has substantial advantages that helps controllers better protect data, making compliance process easier and cost reducing. The data controller will result in compliance with Article 32 GDPR. Secondly, if a strong encryption mechanism is implemented and the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, the data controller will likely be exempted from notifying the data breach to the supervisory authority and communicating it to the affected data subjects pursuant to Articles 33 and 34 GDPR. Moreover, except the duties of assistance to the controller pursuant to Article 28 GDPR, the processor will likely fall out of the audit scope in case the controller is audited, making compliance and audit process simpler for the controller.

  • Protect the personal data of employees, customers, partners, and users. Increase trust for your service and organization by complying with the regulation and using the strongest data protection technology recommended in the text of the law.
  • Keep your personal data within company walls. When using encryption, especially end-to-end encryption for managing data in the cloud, your organization’s personal data stays within company walls. Your encrypted cloud-based processor does not technically process personal data, they only manage the encrypted, unintelligible datasets. Even in case of a data breach, encrypted data is not in danger. This can simplify your compliance processes and save you time for working on other GDPR-related requirements. For example, if you’re audited for compliance, your encrypted cloud service might fall out of your audit’s specific scope.
  • Reduce your liability in case of a data breach. If you apply encryption, especially end-to-end encryption, you are using an appropriate safeguard highlighted by the GDPR. This can reduce your liability when an event it of data exposure.
  • Save costs of data breach notifications and potentially fines. When using encryption, your organization is not obliged to notify your customers or users on data breaches.

Other measures to protect data

What is data minimization?

Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Data minimization means that an organization should only process the personal data that it needs to process in order to achieve its processing purposes. In practice, this requires organizations to reduce the collection of personal data to the strictly necessary and to implement permission and access control protocols and tools limiting access to information only to those people who need it within the organization.

How does pseudonymisation protect data?

Pseudonymization is a novel concept in data protection, encouraged by the GDPR. It is a technique of processing personal data so that it can no longer be attributed to a specific individual without the use of additional information, which must be kept separately and be subject to technical and organizational measures to ensure non-attribution. Pseudonymous data, together with other security measures such as encryption, reduces the likelihood of identifying individuals, for example in case of a data breach or leak. Pseudonymised information is still considered personal data, but the use of pseudonymisation is encouraged, since it is, among of, a technique which may satisfy requirements to implement “data protection by design and by default”; and it may contribute to meeting the GDPR’s data security obligations.

Is properly end-to-end encrypted data still personal data?

Data controller’s end-to-end encrypted documents, such as a spreadsheet with employee details stored with Tresorit, may contain personal data. As the data controller has the encryption key to decrypt the files, they can re-identify the person the data belongs to. However, from the perspective of the end-to-end encrypted and in particular for data processors like Tresorit, this spreadsheet does not contain any personal data because Tresorit, as service provider, does not have the decryption keys to the files, thus is unable to re-identify the persons. Because of this, using end-to-end encrypted service providers may contribute to the security of processing operation done by controllers, as well as to providers acting as data processors on behalf of them. For example, if encryption algorithm is particularly strong, data controllers will likely be exempted from notifying a personal data breach to the supervisory authority and communicating it to the affected data subjects pursuant to Articles 33 and 34 GDPR.

What is the difference between encrypted data and anonymous data?

While encryption is one of the “appropriate technical and organizational measures” to protect data according to Article 32 GDPR, anonymous data is any data that does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. In other words, encryption relates to security of personal data whilst anonymization refers to permanent de-identification. The GDPR applies to encrypted data but it does not apply to anonymized data.