Understanding the Role of Encryption in GDPR Compliance – tripwire.com

Encryption has been a hot topic of discussion during the implementation phase of most data privacy laws. In the age where organizations are dealing with large volumes of data each day, the protection of this sensitive data is critical. The data, which is seen as a business-critical asset for organizations, should be protected against malicious hackers looking for opportunities to steal the data. For these reasons, most data privacy regulations call for organizations to encrypt their data to help to prevent against cyber-attacks.

Todays article is about one such data privacy law that repeatedly mentions the adoption of encryption. GDPR is a data privacy law in the EU that mentions the use of encryption. Although not mandatory, it is yet seen as a best practice for protecting personal data. So, let us first understand what data encryption is and then understand the role of encryption in GDPR compliance.

Data encryption is a process or technique of translating data from text to hashed code that can only be decrypted with a special key. This is one of the most effective processes that organizations can incorporate to enhance their data security measures.

The purpose of encrypting data is to maintain the confidentiality of sensitive data. Oftentimes, unencrypted data, which is stored in computers, on servers or transmitted using insecure internet or insecure computer networks, can result in data breaches. Having stored or transmitted unencrypted data can jeopardize the confidentiality of the data and lead to data sprawl and hacking.

Encryption plays a crucial role in the security of data. Encryption algorithms ensure the confidentiality, privacy and integrity of the data. It also ensures authentication, access controls and non-repudiation of sending data. There are more benefits to incorporating the technique of data encryption. Provided below are some reasons why data should be encrypted.

So, what does encryption have to do with GDPR? For a better understanding, let us take a closer look at the GDPR and its requirements.

The General Data Protection Regulation (GDPR) is a data privacy law that requires organizations to implement measures to protect the privacy, integrity and confidentiality of data. Although the regulation does not mandate or explicitly call for data security encryption, it requires organizations to enforce the best security measures and safeguards. The Regulation recognizes the risk exposure concerning the processing of personal data, and so it places the responsibility on the controller and the processor in Article. 32(1) to implement appropriate technical measures to secure personal data.

While the regulation does not specify technical and organizational measures to be considered, it does emphasize encryption techniques. Despite not being a mandate, the GDPR Regulation repeatedly mentions encryption and pseudonymization as appropriate technical and organizational measures for GDPR data security. The regulation clearly places the responsibility on the controller or processor to decide where encryption should be implemented.

Encryption of personal data in general offers additional benefits for controllers and/or processors. So, in the event that encrypted data is misplaced or there is a loss of a storage medium that holds encrypted personal data, this incident might not be considered to be a data breach in terms of penalties provided the incident is reported to the data protection authorities. Again, if there is an incident, the authorities may take into consideration the use of encryption in their decision on imposing fines as per Article 83(2)(c) of the GDPR.

Encryption can be a highly effective technique for achieving GDPR compliance.Although GDPR encryption requirements are not mandatory, itis yet a powerful technique for data security, as it converts or encodes information into a non-readable format that only an authorized party can access and read. This way, a GDPR data encryption strategy can work out to be beneficial for your organization, especially when it comes to preventing data breaches.

Regardless of whether the GDPR or another regulation applies to your organization, encryption forms an integral part of any organizations data security strategy. Implementing data encryption will prevent your organization from being vulnerable to a data breach and costly fines, which may be much higher than the cost of implementing encryption.

About the Author:Narendra Sahoo(PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the founder and director ofVISTA InfoSec, a global information security consulting firm based in the United States, Singapore and India. Mr. Sahoo holds more than 25 years of experience in the IT industry, with expertise in information risk consulting, assessment, and compliance services. VISTA InfoSec specializes in information security audit, consulting and certification services which includeGDPR,HIPAA, CCPA, NESA, MAS-TRM, PCI DSS compliance & audit, PCI PIN, SOC2, PDPA and PDPB, to name a few. The company has for years (since 2004) worked with organizations across the globe to address the regulatory and information security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.

Editors Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

See original here:
Understanding the Role of Encryption in GDPR Compliance - tripwire.com

Related Posts

Comments are closed.