There are lots of reasons to use encryption and other cryptographic techniques when it comes to mitigating the risks associated with protecting the rights and freedoms of Data Subjects under GDPR. There are however a lot of things that encryption won’t solve too. In this brief article, we will look at 7 of those things encryption is just never going to solve.
0 – Encryption won’t make GDPR go away:
There seems to be a feeling, certainly amongst Processors, that if Personal Data is encrypted and the Processor doesn’t have access (or better still they don’t know what is contained within the encrypted data at all) that the GDPR compliance issue goes away – it doesn’t. Controllers are required to only choose Processors who provide “sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” not only this but the Controller and Processor must engage in a contract whereby the Processor must make “available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article [28] and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.” Given a Controller can’t use a Processor without the above measures in place, encryption as a means of absolving oneself of responsibility is not really an option.
GDPR Reason Number 1 – Accountability & Transparency:
Controllers and Processors alike must be able to demonstrate accountability and transparency. This will require accurate record-keeping; including minutes of meetings at the senior level demonstrating how the Board are ensuring their business is complying with the Regulation. Clearly, encryption is not going to support any of the above activities.
Reason Number 2 – Employee Awareness:
Employees need to be made aware of how GDPR affects their business activities. Not only basic ‘This is what GDPR is’-type training but specific training tailored to employees’ specific roles. A Process Owner, for example, needs to know their roles and responsibilities, as do the Board Members. Members of support functions (e.g. Technology Departments) also need to know how to support the business in delivering compliant applications and infrastructure to support Processing activities. To flip the encryption issue on its head, people need to be educated as to how and when to use encryption effectively!
GDPR Reason Number 3 – Third Party Contracts:
as mentioned above, Controllers must have a contract (or other legal act under Union or Member State law). This contract stipulates how the Processor can process the Personal Data provided by the Controller and, lists other key items which govern the Controller-Processor relationship. Encryption does not replace a Processor contract and given the enforcement powers now available (which yes do include significant financial penalties) it will be even more important to establish who is on the hook for what!
Reason Number 4 – Data Protection Policy & Data Protection Notices:
Encryption won’t help an organisation write a data protection policy. Policies set the expectations for employees as to the rules which dictate how personal data must be handled within the Controller or Processor environments. Encryption also doesn’t help write a Data Protection Notice on your public-facing websites either.
GDPR Reason Number 5 – Data Subject Access Requests (DSAR):
This is a Right where poorly implemented encryption could actually work against an organisation. Data Subjects have a right to access their information and if encryption is compromised or encryption keys are lost, an organisation may find they are not able to uphold this Right.
Reason Number 6 – Data Protection Impact Assessments (DPIA):
Encryption won’t help you write a Data Protection Impact Assessment to determine whether a particular processing activity is lawful, proportionate or controlled in a manner which upholds the rights and freedoms of data subjects.
GDPR Reason Number 7 – Data Protection by Design and Default:
OK this is one where encryption will help solve the challenges associated with designing systems with data protection controls baked in but simply implementing encryption-at-rest (i.e. whole disk encryption on laptops) won’t cut it. DP by Design & Default is not only putting in place security requirements but covering all the principles and rights of GDPR as appropriate – think retention controls, how subject access will be supported, how the restriction of processing will be implemented…and so on…
So whilst encryption is a vital tool in the armoury of any organisation, its use will only support a subset of an organisation’s GDPR compliance programme.
About the Author:
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301 22301:2019 article 28 awareness bcms BIA business continuity calculating risk change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership monitoring operational resilience Outsourced DPO Privacy processor risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools training transparency vciso virtual ciso