The General Data Protection Regulation (GDPR) is now less than two months away from coming into force and with the deadline looming organizations are continuing to source, implement and perfect strategies to aid them in their compliance efforts.
Speaking to Infosecurity Jon Fielding, managing director, Apricorn EMEA, explained how a focus on encryption can help companies achieve a better level of GDPR-compliance.
How can encryption help companies be more GDPR-compliant?
Properly implemented encryption is critical to being able to attain, claim and then maintain compliance with GDPR. The regulations are focused on protecting the personal data of EU citizens and when that data is held in digital form, the only effective method of protecting it is to ensure it is encrypted both at rest and in transit. GDPR is deliberately non-prescriptive in terms of technologies and concentrates more on best practice guidelines throughout its 99 articles.
However, Article 32 does go a step further, requiring “the pseudonymisation and encryption of personal data.” Furthermore, Article 34 notes that in the event of a breach, if the data at risk is encrypted, the requirement to contact each affected data subject is no longer mandated, which means organizations can avoid the resulting administrative costs. Encryption is not only fundamental to attaining compliance. but it also reduces an organization’s liabilities if they are unfortunate enough to suffer a breach. The largest potential fine (€20m or 4% of the organization’s global turn over, whichever is greater) is reserved for the event of a data breach but, with the commitment that administrative levies will be applied proportionately, it would be safe to surmise that a breach of encrypted data will unlikely attract the maximum fine.
“Encryption is not only fundamental to attaining compliance but it also reduces an organization’s liabilities if they are unfortunate enough to suffer a breach”
What are the best strategies for implementing strong encryption in the enterprise?
The first step in any GDPR compliance project should be to perform a complete audit of the data collected and held in the organization, its relevance to the business, where it is stored through its lifecycle and who has access to it. Once the data journey is fully understood, all data that is not relevant to the business should be deleted. Only then can a company determine if it has explicit consent from the EU citizens to handle this data, whether it is in a position to meet the new rights that the GDPR gives to citizens (such as the right to be forgotten and the right to receive their data in a portable format) and consequently, which of the data sets require encryption. At the same time, the project should also look at the requirement and security policy for removable media. Unfortunately, lost or stolen USB devices and CDs are often in the news as the source of a breach because they were unencrypted.
To prevent data loss on mobile devices, organizations must research, select and mandate a corporate-standard, hardware-encrypted USB stick or portable hard drive. Hardware encryption generally provides better protection than software encryption as the keys are held safely in a crypto module that stops brute force attacks and unauthorized access. It also makes the devices more portable and easier to manage as there are no drivers or software to install, and typically delivers better performance since all cryptographic operations take place on the device’s dedicated hardware.
Once a device is selected, companies should enforce its use through USB port whitelisting so that they can be fully confident that anything that crosses the USB port is hardware-encrypted with all other devices blocked. Strong security policies are good, but enforcing them is better. It is also important to keep the solution simple, as employees are often unwilling to comply with complex security policies.
Do you think companies are putting enough of a focus on encryption within their organizations?
IT security is often seen as a barrier and an expense that companies are reluctant to embrace. We are in uncertain economic times, which can impact budgets, and IT security spend tends to be one of the first items to fall off the list. You only need to look at the news headlines to notice this trend – the most glaring example being the recent discovery of Her Majesty the Queen’s security details on an unencrypted USB stick outside Heathrow airport. I do believe, however, that GDPR will sharpen the focus on IT security as a whole and encryption within that. It will probably take a bit of time after the regulation comes into force and maybe it will take a couple of fines to be administered, but we will likely see encryption more readily deployed in the coming months.
“GDPR will sharpen the focus on IT security as a whole and encryption within that”
Should organizations therefore view GDPR as the perfect opportunity to get their encryption house in order?
I honestly believe GDPR to be a good thing. It’s aim is to ensure that businesses that hold our personal and sensitive data treat it with as much care as we do. It is true that compliance will require more work for some companies compared to others that already have good data protection principles in place. That said, GDPR presents an opportunity for every organization to first get their data in order and then to ensure their plans to protect that data, most likely via encryption, are fit for purpose. The regulation calls for data protection by design and default in all systems, and this cannot be achieved unless encryption is deployed in the appropriate areas both within and outside a business’s premises.