No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

GDPR Data Protection Using Encryption and Pseudonymization

by Anthony James
May 24, 2018
in Data Privacy, Featured
GDPR Data Protection Using Encryption and Pseudonymization

Data encryption and data masking technologies are important tools to provide GDPR mandated data protection and data privacy. With careful key management, encryption provides a powerful tool for your arsenal of GDPR best practices. End-to-end encryption provides strong data protection for your on-premise data centers as well as for your cloud-based applications and data. Data masking is also a very important adjunct technology. Together, encryption and data masking give you the broad flexibility to meet a broad mix of GDPR data security needs in support of your European Community customers.

In December 2016, the European Community ratified the EU General Data Protection Regulation (GDPR), which goes into effect this month on May 25, 2018. The GDPR replaces the European Community’s Data Protection Directive 95/46/ec (ECDPD 95/46/ec) on that same date.

The GDPR gives EU citizens much more control over the data that regulated entities can acquire, store, and use. These regulated entities include data processors, which are responsible for processing personal data on behalf of a controller, and controllers. Controllers make decisions about the processing of data and provide specific direction data processors. Both controllers and data processors have direct compliance obligations under the GDPR. The GDPR empowers citizens by requiring that companies simply and clearly obtain explicit permission to process their personal data and that just as easily, EU citizens can withdraw their consent at any time. This data includes just about anything that can be used to identify an individual uniquely.

The GDPR regulation is broad in scale. It is applicable to any entity that offers products and services to the European Union. The GDPR also applies to any service that gathers data about the behavior, online or otherwise, of these individuals within the European Union. In terms of scope, the GDPR applies to just about any business that conducts transactions, from any place on the globe, with a user in the EU.

Compared to the EC DPD 95/46/ec, the GDPR is much tougher regarding data security. The GDPR requires that controllers and processors implement procedural and technical measures to provide necessary data protection. These technologies and procedures may be needed to successfully recover from a disaster or a breach, ensure that systems and services that process data are resilient, and help protect the integrity and confidentiality of data.

In support of stringent data security the GDPR contains considerable language that identifies encryption as a key technology to reduce data security risks. Encryption can protect data at rest (in the database), in motion (moving through the network), and in use (on the computing platform or workstation). Should encrypted data be breached or acquired by a cyberattacker, however, that would not constitute a breach under the GDPR and would not require notification of the data subjects.

Encryption is a mathematical process that converts data into unreadable text using complex mathematical calculations. In order to read the encrypted text, the user must possess a key. Without the key, the data is virtually inaccessible and not useful to any misappropriating party. This key should never be stored on the same server or physical location as the encrypted data.

Best practices for key management optionally provide that the keys can be stored locally, but on separate servers, ideally on-premise, for protecting cloud-based applications and data. There are special key management servers that provide additional protection for keys stored separately within your enterprise.

If you do not control the encryption key strictly within your enterprise, you cannot reasonably assume that any breached data has not been unencrypted. If you let your cloud provider have access to your key or, worse yet, provide their own key, then they become a “data processor” under GDPR and then must be included within your compliance audit. For all of these reasons, strict key management control is critical. In order for encryption to protect the data, it depends on the absolute security of the keys that allow the data to be decrypted.

These excerpts of the GDPR recommend encryption as an underlying technology for GDPR data protection and provide context to the use of encryption as a GDPR best practice technology set:

Recital 83

1. In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. 2. Those measures should ensure an appropriate level of security, including confidentiality, taking into account…

Art. 34 GDPR – Communication of a personal data breach to the data subject

…such as encryption; the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in paragraph 1 is no longer likely to materialise; it would involve disproportionate effort. In such a case, there shall instead be a public communication…

Art. 32 GDPR – Security of processing

…measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymisation and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data…

Art. 6 GDPR – Lawfulness of processing

…whether special categories of personal data are processed, pursuant to Article 9, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10; the possible consequences of the intended further processing for data subjects; the existence of appropriate safeguards, which may include encryption or pseudonymisation….

Pseudonymization is another data protection measure specified by the GDPR. The GDPR defines pseudonymization as the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information. Pseudonymization takes personally identifiable information fields within a data record and replaces them with one or more artificial identifiers or pseudonyms.

One important type of pseudonymization technology is referred to as data masking. Data masking technology obfuscates key data elements on a field by field basis and replaces them with similarly formatted, but fake, data. This enables the data processing systems to still function using the data, but does not provide unique and identifying data to any unauthorized partners, employees, or cyberattackers that gain access. More specifically, the pseudonymized data must not include enough identifiers to allow the hackers to identify the data subject. For example, if fields such as name were masked, but other fields such as zip code, gender, birth date, and race were not, then this might enable someone to uniquely identify the data subjects.

Data masking does not provide for the reversibility of the data. The conversion to a data masked format is a one-way conversion. This is in sharp contrast to encryption, where reversibility is essential and provided by using the encryption algorithm and the secret key.

Data masking is preferred when working with sets of data where the exposure of certain fields should not be allowed. This allows certain data to be used for analytical or statistical analysis while not compromising the identity of any specific individual. Many companies use customer data for research and analysis and may wish to share it with other companies.

In medical research, for example, health care data is highly protected by GDPR and other regulations on a global basis. By masking the critical fields of data, such as names, addresses, race, gender, etc., this private and sensitive information can be protected. Yet other less sensitive and non-identifying fields can be included in the data sets that allow for important statistical compilations so that trends in the use of new medical procedures, pharmaceuticals, or other data concerning the medical research can be successfully completed.

The incentive for using encryption and data masking technologies is compelling and driven by the massive compliance penalties of GDPR. If a controller or processor does not comply with data security requirements as stipulated in the GDPR, the fine can be up to 10 million EUR or 2% of the entity’s total worldwide annual turnover, whichever is higher. Further, the fines can double, going up to 20 million EUR or 4% of the entity’s total worldwide annual turnover for failure to comply with other principles of the GDPR.

Both encryption and data masking technologies are important tools to provide GDPR mandated data protection and data privacy. With careful key management, encryption provides a powerful tool for your arsenal of GDPR best practices. End-to-end encryption provides strong data protection for your on-premise data centers as well as for your cloud-based applications and data. Data masking is also a very important adjunct technology. Together, encryption and data masking give you the broad flexibility to meet a broad mix of GDPR data security needs in support of your European Community customers.


Previous Post

The Impact of GDPR on Channel Partners

Next Post

Contracts Are a Hidden Risk in GDPR Compliance

Anthony James

Anthony James

Anthony James has more than 20 years of experience in the network and security industry, helping build many successful companies. Prior to CipherCloud, he was an executive at TrapX Security and Cyphort, where he received consecutive coveted SC Magazine awards, including Rookie Security Company of the Year in 2015 and Enterprise Security Platform of the Year in 2016. His tenure also includes responsibility as the Executive Vice President of Products at FireEye and Vice President and General Manager for Blue Coat’s Cloud Security business unit. In addition, Anthony drove product strategy and marketing strategy at Fortinet as the Vice President of Marketing and Products, from startup to highly successful IPO, post-IPO and beyond and has been instrumental to company growth. Anthony holds a Computer Science degree from the Sydney Institute of Technology.

Related Posts

Fox_DOJ Speeches_f

Analysis of Recent DOJ Statements

by Corporate Compliance Insights
March 23, 2023

DOJ leaders provide insight into agency's plans. Analysis of Recent Statements DOJ Shaping the Future of Corporate Criminal Enforcement What’s...

Fox_2023 ECCP Update_f

2023 Evaluation of Corporate Compliance Programs

by Corporate Compliance Insights
March 23, 2023

Keeping up with 2023 changes to DOJ guidelines. Additions, Deletions & Changes From 2020 2023 Evaluation of Corporate Compliance Programs...

encompass update

Encompass Launches pKYC Maturity Model

by Corporate Compliance Insights
March 22, 2023

KYC automation platform Encompass has unveiled a new perpetual Know Your Customer (pKYC) maturity model designed to help banks improve...

consilio onna partnership

Consilio, Onna Seek to Streamline eDiscovery for Cloud Apps

by Corporate Compliance Insights
March 22, 2023

Legal technology provider Consilio has launched a new platform, Sightline Collect, powered by data management supplier Onna. The platform is...

Next Post
Contracts Are a Hidden Risk in GDPR Compliance

Contracts Are a Hidden Risk in GDPR Compliance

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT