GDPR – 7 Things encryption won’t solve
There are lots of reasons to use encryption and other cryptographic techniques when it comes to mitigating the risks associated with protecting the rights and freedoms of Data Subjects under GDPR. There are however a lot of things that encryption won’t solve too. In this brief article, we will look at 7 of those things encryption is just never going to solve.
0 – Encryption won’t make GDPR go away:
There seems to be a feeling, certainly amongst Processors, that if Personal Data is encrypted and the Processor doesn’t have access (or better still they don’t know what is contained within the encrypted data at all) that the GDPR compliance issue goes away – it doesn’t. Controllers are required to only choose Processors who provide “sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” not only this but the Controller and Processor must engage in a contract whereby the Processor must make “available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article  and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.” Given a Controller can’t use a Processor without the above measures in place, encryption as a means of absolving oneself of responsibility is not really an option.
GDPR Reason Number 1 – Accountability & Transparency:
Controllers and Processors alike must be able to demonstrate accountability and transparency. This will require accurate record-keeping; including minutes of meetings at the senior level demonstrating how the Board are ensuring their business is complying with the Regulation. Clearly, encryption is not going to support any of the above activities.
Reason Number 2 – Employee Awareness:
Employees need to be made aware of how GDPR affects their business activities. Not only basic ‘This is what GDPR is’-type training but specific training tailored to employees’ specific roles. A Process Owner, for example, needs to know their roles and responsibilities, as do the Board Members. Members of support functions (e.g. Technology Departments) also need to know how to support the business in delivering compliant applications and infrastructure to support Processing activities. To flip the encryption issue on its head, people need to be educated as to how and when to use encryption effectively!
GDPR Reason Number 3 – Third Party Contracts:
as mentioned above, Controllers must have a contract (or other legal act under Union or Member State law). This contract stipulates how the Processor can process the Personal Data provided by the Controller and, lists other key items which govern the Controller-Processor relationship. Encryption does not replace a Processor contract and given the enforcement powers now available (which yes do include significant financial penalties) it will be even more important to establish who is on the hook for what!
Reason Number 4 – Data Protection Policy & Data Protection Notices:
Encryption won’t help an organisation write a data protection policy. Policies set the expectations for employees as to the rules which dictate how personal data must be handled within the Controller or Processor environments. Encryption also doesn’t help write a Data Protection Notice on your public-facing websites either.
GDPR Reason Number 5 – Data Subject Access Requests (DSAR):
This is a Right where poorly implemented encryption could actually work against an organisation. Data Subjects have a right to access their information and if encryption is compromised or encryption keys are lost, an organisation may find they are not able to uphold this Right.
Reason Number 6 – Data Protection Impact Assessments (DPIA):
Encryption won’t help you write a Data Protection Impact Assessment to determine whether a particular processing activity is lawful, proportionate or controlled in a manner which upholds the rights and freedoms of data subjects.
GDPR Reason Number 7 – Data Protection by Design and Default:
OK this is one where encryption will help solve the challenges associated with designing systems with data protection controls baked in but simply implementing encryption-at-rest (i.e. whole disk encryption on laptops) won’t cut it. DP by Design & Default is not only putting in place security requirements but covering all the principles and rights of GDPR as appropriate – think retention controls, how subject access will be supported, how the restriction of processing will be implemented…and so on…
So whilst encryption is a vital tool in the armoury of any organisation, its use will only support a subset of an organisation’s GDPR compliance programme.
About the Author:
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy. Stephen has worked in the information security risk, business continuity and data protection world for nearly 20 years. Stephen has delivered complex security programmes across defence, real estate and financial services. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both paperback and Kindle eBook.
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
accountability article 25 article 28 article 35 awareness bcms BeCyberSafe breach british airways ciso contracts controller cybersecurity data breach data privacy Data Protection dataprotection data protection officer data protection service DPIA DPO encryption GDPR iag informationsecurity information security leadership management penetration testing Pentest Privacy processor resilience risk risk appetite risk management riskmanagement security security as a service small business strategic transparency vciso virtual ciso vulnerability scanning