Hit enter to search

Meet the data security obligations required by GDPR by easily enforcing encryption policies

15/03/2018
Author Avatar
Renauld Duchesne
Account Manager, EASI

GDPR has the potential to introduce positive changes for many businesses. It is designed to increase the harmonization of national data protection laws across the EU while, at the same time, addressing new technological developments.

On the other hand, GDPR is likely to require organization-wide changes for many companies across the EU, as business will have to ensure that personal data get processed in compliance with the newly set requirements. It may also lead to adapting new organizational and technical measures such as encryption. Encryption means encoding information in a way that prevents unauthorized parties from being able to read it.

What is the link between GDPR and encryption?

  • GDPR requires businesses to notify the Data Protection Authority (DPA) of all data breaches without undue delay, within a maximum of 72 hours, unless the data breach is unlikely to result in a risk to individual data subjects.
  • In cases where the breach is likely to result in high risk to the individuals, GDPR requires businesses to inform data subjects “without undue delay”, unless an exception applies.
  • Data processors must notify the data controller. Based on these new rules, businesses will need to create a data breach response plan, enabling them to react promptly in the event of a data breach.

This will also require designation of specific roles and responsibilities within the company, as well as employee training and preparation of notification templates. Compliance with the new GDPR rules for breach reporting will entail a significant administrative burden, one which may increase costs for businesses.

So, is there a solution?

The communication of the data breach to data subjects will not be required if the controller has implemented appropriate protection measures. This applies in particular to means that render personal data unintelligible to any person who is not authorized to access it. Encryption fulfills this goal, being explicitly named by the GDPR as one of the appropriate technical and organizational measures that businesses shall implement to ensure a level of security adequate to the risk.

One example, DESlock Encryption by ESET, offers more than just the basics. It also offers business clients a solution that is simple to deploy, easy to use for even non-technical users and, one that allows for the remote management of keys, settings and security policy. It also allows users to safely encrypt hard drives, removable media, files and email.

Apart from all that, DESlock Encryption by ESET solves one of the biggest usability challenges: How can users share encrypted information? Common passwords are a potential security risk and public-key encryption cause problems, mainly in larger teams with higher staff turnover. Centrally-managed, shared encryption keys avoid these hindrances, mirroring a more natural way – resembling the use of physical keys to lock houses or cars.