How can encryption help you?

The EU GDPR puts a strong emphasis on data protection, encouraging security ‘by design and by default’. This said, how exactly to implement security and data protection is for each organization to decide. Expectations are that companies will follow current best practices. For instance, encryption and pseudonymisation are specifically listed as good methods to ensure adequate levels of protection.

ENCRYPTION

Encryption is a common solution when it comes to data security. It protects information from unwanted access, providing a safeguard against unauthorized or unlawful processing of data. Organizations processing large amounts of personal data should consider encryption alongside other measures, both technical and organizational, taking into consideration both the benefits and the risks it can offer. There are several situations when encryption is recommended, which should be carefully analyzed by data controllers. For example, e-mails are not necessarily something that should be encrypted every time. However, if certain e-mail contain sensitive personal data, encryption is definitely recommended.

Encryption will reduce risks associated with data processing since data will not be accessible without the correct key. Furthermore, encryption will help in the case of a data breach. The GDPR states authorities should be notified of any data breach within 72 hours. The individuals affected by the data breach should also be notified, unless the data is encrypted and the organization can prove there is no way for said individuals to be identified from the stolen data.

PSEUDONYMIZATION AND TOKENIZATION

The GDPR defines pseudonyms as “processing personal data in a way that it can no longer be assigned to a specific person”.  The identifiable information should be kept separately and the organization has to make sure it cannot be identified to a natural person. What is interesting with pseudonymisation is that data is neither completely anonymous nor is it directly identifiable. The risks associated with data processing are reduced, but at the same time the utility of the data is kept. One type of pseudonymisation are hash functions, a popular tool used to map data of any size to codes of a fixed size.

Another safe approach is tokenization. In this case sensitive data is replaced with a randomly generated token before it is processed. The original data and the token maps are stored locally and controlled only by the company responsible for the data. Tokenization is at times considered more efficient than encryption as there is no mathematical relation that can make the connection back to the original data. It is considered that for files and unstructured data, encryption is preferable, while in the case of structured data within databases, tokenization is better.