It’s no secret that the proposed EU General Data Protection Regulation is technology-agnostic. It demands that companies implement proportionate, cost-effective controls to protect the personal data of EU residents, as well as enabling data subjects to exercise their rights over their own personal data. The only technology areas specifically mentioned in the regulation, currently, are pseudonymization and data encryption.
What is data encryption?
Encryption is a technique of ensuring confidentiality by encoding data such that it cannot be read by anyone not authorised to do so. Even if an information system is breached and data stolen, the data would prove worthless to a criminal that lacked the keys to unlock the encryption – or the processing power to force the lock by trying every combination of possible codes.
I was asked during a recent GDPR webinar whether I thought that encryption was required by the EU GDPR. I work for a company that does not offer encryption products for hosts or applications (outside of VPNs) and so I don’t have much of a vested interest in the answer.
My gut instinct, and my answer on the call was “Yes.” However, I think the question and my initial answer deserves more examination.
Encryption is a broad technical area that covers data at rest, data in motion, and can exist in many different places of an information system – volume encryption, database encryption, application encryption, and network encryption. Some of these are not too technically difficult to enable, but they routinely have impact on system performance (so-called ‘overhead’) because encoding and decoding data is mathematically complicated and so consumes processing power and introduces latency (delays). Most solutions will also have a significant financial cost.
In business environments where speed of response is important, encryption may not prove possible. Modern network encryption uses special coprocessors purely for encryption purposes to limit performance impact on normal operations. However at a host level, that may not be possible and generic processors may struggle with the overhead introduced by database or volume encryption. Database look-ups during time critical interactions with customers or applications can be completely foiled by imposing encryption.
Although encryption is mentioned in the EU GDPR, it is only mentioned a few times, and each time it is modified with words like “such as”, “may include”, and “as appropriate.” A strictly legal analysis and consideration of the real-world difficulties in implementing encryption would conclude that encryption is not mandatory.
Data breaches are inevitable
On the other hand, breaches of data security are inevitable. Every security professional is taught from day one that with the complexity of modern networks, the scope of the threat landscape, and the breadth of user behaviour and understanding, guarantees of security cannot be given.
Your data will be misappropriated at some point.
With this in mind, the measures that exist post-breach, assuming the data is in the hands of a threat actor, are the only things preventing impact on the data subjects. Encryption is the most common post-breach control, although effective anonymisation or data minimisation will help too.
It is most common that the first question asked of a company after a breach is whether the data lost was encrypted.
What if you don’t implement encryption?
In a hypothetical future where your company has lost the personal data of EU data subjects, you will be expected to answer the question “Was the data encrypted?”. Initially it may be law enforcement, the press, your customers, but eventually the regulator will ask as well with a mind to pursuing regulatory action. I am anticipating that EU data subjects and, consequently, the regulators, will take a dim view of companies that have not implemented encryption and an even dimmer view of those that have not even considered using encryption (or cannot prove that they have considered it carefully).
So I am qualifying my answer somewhat. Does EU GDPR require encryption? My answer is still yes. As a security design professional I am assuming that, in the general case, your network will be breached at some point and given the relative maturity of the encryption market, there’s no reason why it should not be a part of every modern information system.
However, that does not mean that it is, on its own, sufficient to meet the demands of the regulator, neither is it mandated. What is mandated is that companies should examine every opportunity to implement encryption and must demonstrate that, where it has not been implemented, it is for a good reason of cost-efficiency or proportionality.
If you don’t take data encryption seriously and build the evidence that you have thoroughly considered data encryption for PII, the fines and other fall outs for the inevitable breach of personal data will be that much bigger.
For further guidance, please refer to the Information Commissioner’s Office (ICO) advice on encryption.