Encryption has almost become a standard under the GDPR, as it is a widely known security method and its use helps organizations comply to the regulation. However, the encryption vs. tokenization dilemma is present. There are voices that say encryption is not the best solution – it does have some advantages but it also comes at a cost. Firstly, it is not a very practical solution to secure data, because once the files have been encrypted, it will be nearly impossible for employees to work with them.
Another GDPR approved method is tokenization. The idea behind it is to simply replace any personal identifiers with random codes. The method brings the need for a master table that maps the codes to the identifiers. With this approach, employees would be able to work with the data in an easier manner. It is not clear how things should be handled in case of a data breach if the organization uses tokenization to secure their data. Technically, it depends on how safe the table holding the connection between codes and raw data is. It also depends what data is encoded. If by accident some data that can lead to the identification of an individual is left decoded in the data file, the breach must be reported.
So, encryption vs. tokenization? Is one better than the other? The question is similar to those aiming to compare one or more security algorithms to find which one is better. While some might stand out more often, the best solution has take into consideration the context and not just the performance of the standalone method. What data are you securing, how often will your employees need to access it in its raw form, how likely do you think a data breach is and of course, what technical resources do you have? If we want to compare the two methods, we should say that tokenization is often considered more efficient, as there are no mathematical operations to make the connection between the tokens and the original data. However, for unstructured files, encryption will be preferable as opposed to tokenization which is better for structured data, such as databases.