Data encryption and data masking technologies are important tools to provide GDPR mandated data protection and data privacy. With careful key management, encryption provides a powerful tool for your arsenal of GDPR best practices. End-to-end encryption provides strong data protection for your on-premise data centers as well as for your cloud-based applications and data. Data masking is also a very important adjunct technology. Together, encryption and data masking give you the broad flexibility to meet a broad mix of GDPR data security needs in support of your European Community customers.
In December 2016, the European Community ratified the EU General Data Protection Regulation (GDPR), which goes into effect this month on May 25, 2018. The GDPR replaces the European Community’s Data Protection Directive 95/46/ec (ECDPD 95/46/ec) on that same date.
The GDPR gives EU citizens much more control over the data that regulated entities can acquire, store, and use. These regulated entities include data processors, which are responsible for processing personal data on behalf of a controller, and controllers. Controllers make decisions about the processing of data and provide specific direction data processors. Both controllers and data processors have direct compliance obligations under the GDPR. The GDPR empowers citizens by requiring that companies simply and clearly obtain explicit permission to process their personal data and that just as easily, EU citizens can withdraw their consent at any time. This data includes just about anything that can be used to identify an individual uniquely.
The GDPR regulation is broad in scale. It is applicable to any entity that offers products and services to the European Union. The GDPR also applies to any service that gathers data about the behavior, online or otherwise, of these individuals within the European Union. In terms of scope, the GDPR applies to just about any business that conducts transactions, from any place on the globe, with a user in the EU.
Compared to the EC DPD 95/46/ec, the GDPR is much tougher regarding data security. The GDPR requires that controllers and processors implement procedural and technical measures to provide necessary data protection. These technologies and procedures may be needed to successfully recover from a disaster or a breach, ensure that systems and services that process data are resilient, and help protect the integrity and confidentiality of data.
In support of stringent data security the GDPR contains considerable language that identifies encryption as a key technology to reduce data security risks. Encryption can protect data at rest (in the database), in motion (moving through the network), and in use (on the computing platform or workstation). Should encrypted data be breached or acquired by a cyberattacker, however, that would not constitute a breach under the GDPR and would not require notification of the data subjects.
Encryption is a mathematical process that converts data into unreadable text using complex mathematical calculations. In order to read the encrypted text, the user must possess a key. Without the key, the data is virtually inaccessible and not useful to any misappropriating party. This key should never be stored on the same server or physical location as the encrypted data.
Best practices for key management optionally provide that the keys can be stored locally, but on separate servers, ideally on-premise, for protecting cloud-based applications and data. There are special key management servers that provide additional protection for keys stored separately within your enterprise.
If you do not control the encryption key strictly within your enterprise, you cannot reasonably assume that any breached data has not been unencrypted. If you let your cloud provider have access to your key or, worse yet, provide their own key, then they become a “data processor” under GDPR and then must be included within your compliance audit. For all of these reasons, strict key management control is critical. In order for encryption to protect the data, it depends on the absolute security of the keys that allow the data to be decrypted.
These excerpts of the GDPR recommend encryption as an underlying technology for GDPR data protection and provide context to the use of encryption as a GDPR best practice technology set:
1. In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. 2. Those measures should ensure an appropriate level of security, including confidentiality, taking into account…
Art. 34 GDPR – Communication of a personal data breach to the data subject
…such as encryption; the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise; it would involve disproportionate effort. In such a case, there shall instead be a public communication…
Art. 32 GDPR – Security of processing
…measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data…
Art. 6 GDPR – Lawfulness of processing
…whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10; the possible consequences of the intended further processing for data subjects; the existence of appropriate safeguards, which may include encryption or pseudonymisation….
Pseudonymization is another data protection measure specified by the GDPR. The GDPR defines pseudonymization as the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information. Pseudonymization takes personally identifiable information fields within a data record and replaces them with one or more artificial identifiers or pseudonyms.
One important type of pseudonymization technology is referred to as data masking. Data masking technology obfuscates key data elements on a field by field basis and replaces them with similarly formatted, but fake, data. This enables the data processing systems to still function using the data, but does not provide unique and identifying data to any unauthorized partners, employees, or cyberattackers that gain access. More specifically, the pseudonymized data must not include enough identifiers to allow the hackers to identify the data subject. For example, if fields such as name were masked, but other fields such as zip code, gender, birth date, and race were not, then this might enable someone to uniquely identify the data subjects.
Data masking does not provide for the reversibility of the data. The conversion to a data masked format is a one-way conversion. This is in sharp contrast to encryption, where reversibility is essential and provided by using the encryption algorithm and the secret key.
Data masking is preferred when working with sets of data where the exposure of certain fields should not be allowed. This allows certain data to be used for analytical or statistical analysis while not compromising the identity of any specific individual. Many companies use customer data for research and analysis and may wish to share it with other companies.
In medical research, for example, health care data is highly protected by GDPR and other regulations on a global basis. By masking the critical fields of data, such as names, addresses, race, gender, etc., this private and sensitive information can be protected. Yet other less sensitive and non-identifying fields can be included in the data sets that allow for important statistical compilations so that trends in the use of new medical procedures, pharmaceuticals, or other data concerning the medical research can be successfully completed.
The incentive for using encryption and data masking technologies is compelling and driven by the massive compliance penalties of GDPR. If a controller or processor does not comply with data security requirements as stipulated in the GDPR, the fine can be up to 10 million EUR or 2% of the entity’s total worldwide annual turnover, whichever is higher. Further, the fines can double, going up to 20 million EUR or 4% of the entity’s total worldwide annual turnover for failure to comply with other principles of the GDPR.
Both encryption and data masking technologies are important tools to provide GDPR mandated data protection and data privacy. With careful key management, encryption provides a powerful tool for your arsenal of GDPR best practices. End-to-end encryption provides strong data protection for your on-premise data centers as well as for your cloud-based applications and data. Data masking is also a very important adjunct technology. Together, encryption and data masking give you the broad flexibility to meet a broad mix of GDPR data security needs in support of your European Community customers.