The requirements for encryption under the GDPR

It’s been just over six months since the GDPR came into force with some organisations still not being compliant and others still not understanding key aspects of the regulation or the relevance to their business.

There’s no denying that the new legislation is complex, there’s a lot to get to grips with, but there are some quick wins to be had. If you haven’t yet taken steps to ensure valuable data is fully protected from unauthorised access when working remotely or on the move, read on.

Data encryption and pseudonymisation are the only two technology measures specifically mentioned in the technology-agnostic regulation. Article 32 of the GDPR highlights “the pseudonymisation and encryption of personal data” as one of the “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.

What does this mean, what is mandatory and what can you do?

Pseudonymisation is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms.

GDPR encourages “pseudonymisation” of personal data and it is mentioned 15 times in the regulation. The concept of personally identifying information lies at the core of the GDPR. Any “personal data”, which is defined as “information relating to an identified or identifiable natural person ‘data subject’”, falls within the scope of the Regulation.

Encryption is the process of converting information or data into a code, especially to prevent unauthorised access and is a way of safeguarding against unauthorised access to data.

There are various encryption options available for your various requirements, however always ensure that you are using hardware encryption rather than software encryption, especially for portable devices.

A simple, yet effective way to safeguard data on the move, and be GDPR compliant, is to use a hardware encrypted USB. Cardwave offers an award-winning (Computing Security ‘New Product of the Year’ 2018), AES 256-bit XTS hardware encrypted USB3.1, named SafeToGo® Solo.

With a hardware encrypted USB drive such as SafeToGo® Solo, all the information relating to the encryption and decryption of data, along with access control counters, are implemented in a crypto module (sealed in resin) located inside the USB itself (not in a PC).

This clever crypto module will shut down the USB and keep any data stored on the drive safe in the event of unauthorised access attempts. Unlike a software-based solution, hackers cannot run analysis utilities on the USB to locate and reset the control counters.

By shutting down the USB, a parallel attack, where data is copied and shared to multiple devices to increase the chances of unlocking the data, is also prevented.

 

Although pseudonymisation and encryption can be effective methods of safeguarding your data for different reasons, these measures alone won’t fully protect your organisation. Effective and robust cyber security requires an ISMS (Information Security Management System) built on three pillars: people, processes and technology. This three-pronged approach will help your organisation defend itself from both highly organised attacks and common internal threats, such as accidental breaches and human error.

To find out more about SafeToGo® Solo visit here.

See our other articles on encryption here:

 

Sources: IT Governance, Wikipedia, Cardwave