The role of encryption under GDPR: adapting your security strategy

by Ivana Butorac - Data Protection Expert
| minute read

As I explained in my previous post, dealing with encrypted data inevitably puts your organisation within the scope of the EU’s General Data Protection Regulation (GDPR). But how exactly does that impact your security strategy? And how can Sopra Steria help you to deploy encryption in compliance with GDPR?

In a world where cyberattacks are on the rise, one of the key business priorities is to ensure the protection of personal data in order to build trust and confidence in the digital use of products and services. Encryption is one of many security measures that can help you achieve that goal. To be really effective, however, these measures need to be built into your systems and processes from the beginning, not tacked on later. And encryption is no exception to that rule: it, too, needs to adhere to that important principle of ‘security by design’.

Security by design

Security by design requires that data protection is integrated into every aspect of your data processing activities. It helps companies to ensure that data privacy and protection are considered at the design phase of any system, service, product, or process, as well as during its entire lifecycle.

It goes without saying that security by design is not a new concept in the data protection world. But the GDPR law has brought it into focus in its Article 25, turning it into an essential legal concept and obligation imposed on both data controllers and data processors. One example of how to achieve data protection by design is by using encryption methods.

Integrity and confidentiality

As described in its Article 5(f), the GDPR law also sets the obligation to respect the principle of ‘integrity and confidentiality’ while processing personal data. Taking into account the level of risk, all personal data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

It is true that the GDPR law does not refer explicitly to encryption in this particular article. However, knowing that encryption aims to ensure confidentiality as one of the CIA principles in order to prevent unlawful access to data, it is safe to assume that the deployment of encryption measures will contribute to meeting this GDPR requirement.

Secure processing of personal data

Article 32, on the other hand, explicitly recommends encryption as an appropriate measure to secure the processing of personal data. Taking a risk-based approach, both data controllers and data processors are obliged to implement appropriate technical measures to ensure the right level of security of personal data is achieved.

Although not stipulated as a mandatory measure, encryption is endorsed here as a safeguard to provide secure data processing, as it guarantees the confidentiality of information by keeping the content of the data intact and unusable to whoever is not the intended recipient of that data. Finally, it is important to stress that the level of encryption protection deployed in devices and applications must take into account real-time business needs and potential risks as well as current technological developments.

Preventing personal data breaches

The implementation of encryption measures certainly helps data controllers in dealing with data breaches - when an unlawful access to data occurs or has occurred, for instance. It is important to understand that any data processing that infringes on GDPR, including situations of unlawful access to personal information and failure to comply with the Regulation, triggers the liability of data controllers if the damage is caused to data subjects.

The implementation of strong encryption contributes to the prevention of data disclosures or unlawful access to data. It helps data controllers meet their security obligations. For example, encryption protects from surveillance and from unlawful interference of data that can lead to data leaks. It also contributes to the prevention of confidentiality breaches. All these data breaches can have a significant impact on the rights and freedoms of data subjects.

Data breaches are a big pain for businesses because their failure to comply with legal obligations can result in a heavy administrative fine. This can affect their financial stability but also their reputation. Therefore it is in every business's interest to ensure that personal data processing is protected against abuse and unlawful exploitation.

Sopra Steria: strong in security

At Sopra Steria, we foster a holistic approach to security in general and data security in particular. For the design of our security solutions and consulting services, we combine the proven technical skillset and legal expertise of a global team of 700 information security, legal, and risk management specialists.

Ensuring a security by design approach and mindset has been at the heart of every digital project we have successfully managed and completed for our clients. Our state-of-the-art services and certified experts meet the most stringent requirements to support the most sensitive public and private actors in the implementation of the GDPR law. To shape our cybersecurity solutions, we use the following approach: first, we prevent any undesired scenarios by helping you define and integrate a strong cybersecurity strategy; second, we protect your sensitive data and build trust in the digital use of your services and/or products; and third, we detect and react quickly to cyberattacks in order to maximise the cyber resilience of your overall digital environment.

Read more about Sopra Steria’s cybersecurity approach. Or contact us directly for more information.