In the recently released General Data Protection Regulation (GDPR) data encryption is stated as a means to protect personal data. E.g. Article 32, Security of Personal Data, states that the "controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including…the pseudonymisation and encryption of personal data."
Article 34 goes on to state that if a breached organisation "has implemented appropriate technical and organisational protection measures…such as encryption", that organisation can avoid the regulation's breach notification requirement - as well as the resultant administrative costs and reputational damage. This is good news for controllers and processors that pursue an encryption strategy but begs the question: how can we be sure our encryption policies and procedures comply with the regulation?
As it's currently written, the GDPR does not delve into much detail around encryption. Questions about algorithm strength and key protection methods come to mind, although there are certainly others. Perhaps this is by design, as it leaves room for interpretation on the enforcer's part, but more guidance may be needed to ensure that organisations adequately protect sensitive data. After all, a mandate without specifics can be potentially harmful, as organisations may take comfort that they've "ticked the box" while unseen vulnerabilities remain.
I attended a recent webinar hosted by the Cloud Security Alliance, where I asked the panelists if we can expect more specifics on encryption to be forthcoming. The panelists indicated that they anticipate more details but, in lieu of that, mentioned two helpful reference documents:
- The ICO's document, Encryption, released in March, which was summarized nicely by Fredericka Argent of Covington & Burling LLP in her article, ICO Publishes New Guidance On Encryption. As Ms. Argent points out, the ICO document digs into different scenarios (e.g. data in transit, data at rest) as well as encryption techniques. The ICO document also addresses key management to an extent: "The importance of good key management should also not be underestimated. Organisations should ensure that they keep the keys secret in order for encryption to be effective."
- Privacy and Data Protection by Design, released in December 2014 by The European Union Agency for Network and Information Security (ENISA), also explores different encryption techniques and speaks to key rotation as a means to strengthen security.
The information in these documents would serve as a great supplement to the GDPR, so I hope to see an addendum or some other official pronouncement that either references those materials or replicates the encryption guidance. Data processors and controllers have much work to do between now and May 2018, so the more unambiguous direction they have, the easier it will be to ensure compliance.
Visit www.thales-esecurity.com/gdpr to learn how our security solutions can help you build and implement a data protection strategy that meets the GDPR’s requirements.