As May 25th, the effective date of GDPR inception, is just around the corner, we decided to take a closer look on how encryption can be leveraged to achieve GDPR compliance.
A Few Words About GDPR
The General Data Protection Regulation (GDPR) harmonizes data protection laws in the EU that are fit for purpose in the digital age. By introducing a single law, the EU aims to bring better transparency to help support the rights of individuals and grow the digital economy. The primary objective of the GDPR is to give citizens back control of their personal data. From an economic standpoint, the GDPR aims to simplify the regulatory environment for international business by unifying the regulation within the EU.
The GDPR imposes new rules on companies, government agencies, non-profits, and other organizations that offer goods and services to people in the EU, or that collect and analyze data tied to EU residents. Even organizations outside Europe need to be compliant, or otherwise face significant penalties that are unprecedentedly large.
The GDPR replaces the 1995 Data Protection Directive, becoming enforceable from 25 May 2018, after a two-year transition period.
Business Impacts of GDPR Compliance
Compared to its predecessor, the Data Protection Directive, the GDPR gives data protection authorities more investigative and enforcement powers and the power to levy more substantial fines, applying in all member states of the EU.
In the case of non-compliance with key provisions of the GDPR, regulators have the authority to levy a fine in an amount that is up to the greater of €20M or 4% of global annual turnover in the prior year. Examples that fall under this category are non-adherence to the core principles of processing personal data, infringement of the rights of data subjects and the transfer of personal data to third countries or international organizations that do not ensure an adequate level of data protection.
Personal Data and Why it’s Important to Protect It
GDPR defines personal data as any information relating to an identifiable natural person (data subject) who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier (like IP address or cookie), factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
All data protection laws, globally, set out to protect personal data. The GDPR is focused on protecting the human rights of the data subject, in this case their right to privacy. This means that all personal information must be securely processed and managed by the organization that obtain the PII (Personally Identifiable Information) data, process and stores it.
Leveraging Encryption for GDPR Compliance
Encryption vs. Pseudonymization
Encryption and pseudonymization are both considered within the GDPR as security protection measures and successful implementations will ensure that companies can avoid heavy financial penalties in case of a data breach. Data that has been pseudonymized is not exempt from the GDPR, however, provisions are greatly relaxed for organizations using this kind of personal data. Pseudonymization can be described as a process, which neither renders data anonymous, nor does it allow identification. The following figure demonstrates how the several first names would render out with pseudonymization and encryption (tokenization provides a consistent token for each unique name, while encryption with a different key yields a random-like result).
The GDPR encourages pseudonymization, but the separation of personal data from data sets is a process many corporations will find difficult to implement, as it requires a complete assessment of existing data resources and the creation of a data map. In this case, the GDPR recommends encryption of personal data as a security measure. Data encryption converts data into another form, or code, so that only people with access to a secret cryptographic key can read it.
Control of the Encryption Keys
The security benefits offered by the data encryption solution rely on the control placed around the secret cryptographic key. Therefore, protection of the cryptographic key is a critical aspect of the encryption. Using a metaphor from Frank Herbert novel Dune “He who controls the spice, controls the universe!”, one that owns the key, owns the PII data that was encrypted with that key. The value of encryption with proper key management and protection is that even if a hacker gains access to encrypted data, it is meaningless and therefore useless to the malicious adversary. If all other defenses fail, the encrypted data itself is useless. The thief is deprived of the prize.
Achieving control of the encryption keys is extremely important, especially when the data controller and data processor are not a single entity or when some of the processing happens in a public cloud.
Encryption Keys Granularity
Up till now, the best practice to safeguard a sensitive data would be to encrypt the entire data set, i.e. with DB encryption. This would do the work, but such modus operandi would create the operational hassle to decrypt / encrypt the DB quite often, decrypting the entire data base just to access / change information of a single individual. In addition, it would also create an attack vector for a memory resident malware to steal the data when it’s unencrypted. A superior approach, aligned with GDPR’s intent to achieve data protection by design, would be to encrypt the PII data of each individual with a separate encryption key, as depicted in the below figure. Deleting this key, would manifest the data subject right to exercise the right to be forgotten.
The GDPR is arguably the most stringent data privacy mandate ever imposed on organizations and may well represent the future of privacy regulations across the globe. With its focus on protecting the personal data of any EU citizen, regardless of where the controller or processor does business, the impact of the GDPR reaches far beyond the EU’s boundaries. It is essential for organizations to master the benefits of encryption while creating a GDPR compliance strategy. With fines that could reach tens of millions of euros and beyond, it is incumbent upon organizations to take the regulation seriously, and utilize this tool set when addressing the GDPR regulation.