The current cyber threat landscape forces the secure handling of personal data, and data privacy laws such as the General Data Protection Regulation (GDPR) assist in enforcing essential security measures.
While GDPR may not consider encryption a mandatory technical measure, it is the most practical and secure way of securing data at rest and in transit. This is part of our methodology while carrying out penetration testing for GDPR compliance – the reason why technical risk assessments add depth to your security programme, they go a bit more than a tick-in-the-box approach.
To be precise, data encryption allows you to store information in an unreadable format that authorised people can only access via a unique decryption key. Organisations that deal with a lot of data are at the top of the cybercriminals’ priority list. Because of the data security risks present in processing activities, they are more vulnerable to cyber-attacks. Hence, data protection and risk mitigation is essential for any organisation.
While it may appear to be difficult, establishing data encryption is rather simple. This article will explain all the concepts about data encryption and its practical implementation based on industry best practices. Let’s start with basic data encryption before moving to GDPR encryption requirements.
What is data encryption?
Encryption is a mathematical function that encodes data in such a way that authorised users can only access it. The process includes converting data from plain text into a ciphertext, i.e. unreadable output, using an encryption algorithm. It’s a technique to protect personal data against unauthorised access or modification.
Encrypting data is one of the approaches to demonstrate compliance with the security principle.
Encryption protects data held on mobile and stationary devices and data in transit. You should have a policy in place that governs the usage of encryption, with suitable personnel included.
Here are some of our key articles around the subject of encryption
Basics of Public Key Infrastructure
Hashing, salting and their differences
What are the types of encryption?
There is a total of two types of encryption, based on the usage of encryption and decryption keys. The two types are:
1. Symmetric Encryption
Also known as private key encryption. In this type of encryption, the same key is used for encrypting and decrypting data. Therefore, it is important to ensure the secure method is used to transfer the key between sender and recipient.
2. Asymmetric Encryption
Also known as public-key encryption. Asymmetric encryption uses a pair of keys i.e. public key and private key. The private key is kept secret by the sender and the public key is either shared amongst authorised recipients or made available publicly. The sender encrypts data with the recipient’s public key that can only be decrypted with the corresponding private key. Both keys are linked together in such a way that data encrypted from a public key can only be decrypted by its paired private key. Having said that, the receiving person can not generate the sender’s private key if he has his public key and vice versa.
Our detailed topic on this subject of symmetric vs asymmetric encryption is available here:
What are the applications of encryption?
As a whole, there are two applications where encryption is being used, i.e.:
1. Encryption at rest (Data at rest encryption (DARE))
Encryption at rest means applying encryption to stored data. Data that is encrypted while being held provides adequate protection against unauthorised or unlawful processing.
Examples are Full-disk encryption enabling with the operating system, encrypting individual files and folders, or creating encrypted containers. Modern databases and applications following secure SDLC can also be set up to store data in encrypted form.
2. Encryption in transit
Encrypting in transit means, encrypting data before sending it across an unsafe channel to verify that it is still secure. A secure channel (such as HTTPS Port 443), on the other hand, ensures that the content cannot be decoded if it is intercepted. Encrypting personal data during transmission provides adequate protection against third-party interception.
Examples are utilising cryptographic protocols like Secure Socket Layer (SSL) and Transport Layer Protocol (TLS) while accessing the websites. Furthermore, users should encrypt data using compliant file encryption tools before sending the email, then attach the encrypted file to the email for transmission.
What is GDPR encryption?
GDPR emphasises the implementation of comprehensive security measures because it was created in recognition of the risk involved with processing, storing, and transferring personal information.
As previously stated, data encryption is not a mandated way of implementing adequate technical measures under the legislation.
GDPR compliance provides a controller catalogue, and outlines the specific requirements that must be met to provide protection. The GDPR controller catalogue specifies that an organisation’s responsibility is to establish appropriate data protection measures. Whatever the situation, organisations must protect data confidentiality, data integrity and availability (the core principles of information security). The most practical way is to employ strong encryption techniques to ensure the highest data security and privacy level.
GDPR Encryption Requirements
Art 32(1) holds the controller and processor accountable for implementing the necessary organisational and technical safeguards. It mentions encryption and pseudonymisation as possible protection measures to ensure data security. Likewise, The European data protection board (EDPB), responsible for European data protection laws, emphasises the use of encryption and pseudonymisation as the means of appropriate technical and organisational measures.
In summary, GDPR compliance with data security and privacy requires enterprises to assess each data risk and implement the strongest security measures feasible to reduce them.
Organisations must assess what data must be encrypted. Simply employing encryption on each data asset is not an optimal solution so before adopting this approach organisations need to identify data identifiers, their risks and then assess if the encryption is a feasible solution.
What data must be encrypted?
If an organisation performs the processing of personal data and deals with the following categories, it must employ encryption to lower the exposure of risk:
- Personally Identifiable Information (PII)
- Sensitive Data
- Protected Health Information (such as Healthcare cybersecurity compliance)
- Credit Card Information
- Confidential Business & Intellectual Property
Does GDPR require end-to-end encryption?
GDPR does not mandate to employ encryption but for compliance, the only sufficient measure seems to be one and only encryption of personal data. Companies that use end-to-end encryption are not required to notify customers in the event of a security breach.
GDPR Article 34.3 requires the controller to communicate the personal data breach to the data subject when a personal data breach affects individuals’ personal data. This can have serious implications for a company’s public image and operations.
End-to-end encryption eliminates the need to notify impacted data subjects because there is no impact on their rights when encrypted data is involved. In this regard, one of the most concerning practices is to keep encryption keys secure.
Does GDPR impose fines on unencrypted data?
Data encryption is not a mandatory method for enforcing data security under the GDPR, hence not using it is not a violation of GDPR compliance.
Since nowadays, One of the most serious privacy concerns is a data breach. As an industry best practice, any organisation that experiences a data breach might well be able to avoid GDPR fines if it adopts data encryption.
Let’s take an example of the famous data breach. British Airways was fined £20 million (about $27.8 million) for a breach of personal information and violation of the GDPR. According to the ICO investigation, it resulted in the breach of a variety of personal data identifiers, including login credentials, credit card information, travel booking details, and individuals’ names and address information.
British Airways could have avoided the GDPR penalty if the lost information was encrypted.
What are the GDPR compliant encryption algorithms?
The ICO has suggested using standards such as FIPS 140-2 and FIPS 197. The approved algorithm list includes:
- Advanced Encryption Standard (AES),
- Triple-DES Encryption Algorithm (TDEA),
- Secure Hash Standard (SHS), which includes Secure Hash Algorithms,
- SHA-3 Standard, which includes SHA-3 hash algorithms, SHA-3 extendable output functions (XOF), and SHA-3 derived functions,
- Hash-Based Message Authentication Code (HMAC),
- Digital Signature Standard (DSS), which includes the Digital Signature Algorithm (DSA), Rivest-Shamir-Adleman (RSA), and the Elliptic Curve Digital Signature Algorithm (ECDSA).
How to implement encryption for GDPR compliance?
When implementing encryption, the following factors must be considered i.e.
- Encryption algorithms selection,
- Key size selection as the size should be sufficiently large,
- The encryption software that enables encryption and decryption of a data stream at rest or in transit, and
- Key security.
There are a number of scenarios of data processing activities where encryption should be considered. To estimate how to use encryption and to cater for the residual risks, the following scenarios must be considered in which personal data is processed.
Encryption scenarios for personal data protection – GDPR Encryption Examples
1. Encrypted email (GDPR Email encryption)
When an email is accidentally sent to the wrong recipient, a common sort of personal data theft happens. Also, hackers can easily intercept email content by Man-In-The-Middle-Attack so sending sensitive data in plain text could result in high risks data disclosures.
Encrypted email allows you to encrypt both the body and attachments of your emails. For example, the OpenPGP and S/MIME encryption protocols are extensively used and implemented in a variety of free and commercial software products. Modern products such as Office 365 offering email encryption have made this an easy to use mode.
Sending and receiving encrypted emails requires deploying suitable email client software, which must be configured ahead of time. For desktop, laptop, and mobile operating systems, a large choice of free and proprietary software are available. Outlook and Gmail also utilise S/MIME encryption standards that can be configured manually.
2. Encrypted attachments
Configuring encrypted email in an organisational setting might present server-based malware scanning software issues because the content and attachments are encrypted, and the anti-virus scanning programme may even actively reject them. Also, compatibility issues with automated email processing systems or handling several private keys across multiple employees (e.g., a shared mailbox at [email protected]) are also possible risks.
For that, encrypted attachments could be utilised in which only files are encrypted on the sender’s device before being attached to a regular email message. The recipient must have suitable software (in certain circumstances the same cryptographic software) and access to the key in order to decrypt the attachments. The key is usually derived from a shorter, easier-to-remember password that may be passed on to the receiver; however, the password must be long and complicated enough to prevent data security compromise.
3. Digital Signature
A digital signature is based on public-key cryptography. It can provide assurance that an email has not been forged or hijacked and that the contents are identical to those sent by the sender.
A digital signature will not encrypt the communication by itself. It consists of a message digest encrypted using the private key of the message sender. A process known as hashing is used to construct the message digest, which is substantially shorter than the original message. The original message cannot be reconstructed from the message digest. When the message is paired with the signature, it is referred to as a digital certificate.
The recipient of a signed message tries to decrypt the signature with the sender’s public key, converting it back to a message digest. As only the sender has access to the private key, success implies that the message was signed by the sender. After that, the receiver converts the document data into a message digest and compares it to the original.
4. Data backups
Data backups are vital in a disaster recovery strategy. It’s also crucial to store a backup at a different location i.e. not in the same physical location as the live copy.
An organisation’s backups are often recorded on tape, disc, or other physical medium and then relocated to a secure location. For data privacy concerns, data will be safeguarded against unauthorised access if it is kept in an encrypted manner. However, encryption key management will be necessary to ensure that the data can be accessed when needed in the future.
Another alternative for offsite backup or data storage is for an organisation to use a cloud-based service. The information would normally be sent over the internet and stored on a third-party cloud provider’s remote server. Data cannot be compromised in transit if a secure transfer protocol (e.g. TLS) is used. It’s crucial to realise, too, that without supplementary encryption, data will only be encrypted while in transit and will be stored on the cloud provider’s system in the same format as it is on yours.
The risks can be reduced by encrypting data before sending it and keep the key safe so that the cloud provider or any third party won’t be able to read it.
5. Online data sharing
A variety of computer systems applications support online file sharing, such as within online word editing software, where documents can be shared with several users to facilitate collaboration.
If you utilised these applications, you would usually send data to be stored on a server and accessible from a remote place via the internet. This can be accomplished by either hosting your own system or using a third-party cloud provider.
Using a secure transfer protocol (such as TLS) will prevent data from being compromised while in transit. It’s vital to understand, however, that data will only be encrypted in transit, not on at the rest of the server or client.
If the online service’s entire purpose is to provide a storage place where the recipient can collect data, you can encrypt the personal information before uploading it. This will ensure that no one else has access to your personal information and the privacy risks are minimal.
Encryption at rest is a difficult requirement if the online service performs any data processing activities on personal data. It either means the service provider uses their own encryption solutions (for which they will most likely keep the key) or it involves the use of a complex key management system, which is not currently available on most cloud-based file-sharing systems.
To address the limitations of encryption at rest for cloud service, an online data sharing application’s ability to “share a secret URL” or provide certain users access to individual files or folders is becoming more frequent. While this can provide a secure and auditable way to communicate information.
Five data encryption best practices under GDPR
Observe these five data encryption best practices to limit the risks of a data breach.
- Employ encryption on personal and sensitive data.
- Keep the encryption and decryption keys secure.
- Ensure privacy and security with data being at rest and in transit.
- Ensure the recovery of files or the keys used to encrypt the data in the event of a security breach.
- Ensure the encrypted data do not affect the business functionality, accessibility, or performance.
Is encrypted data still personal data in GDPR?
GDPR has not clearly answered this query. So let’s try to understand this by a couple of parameters. First, you need to analyze the definition of personal data under GDPR i.e. any data that relates to an identified or identifiable person. Now the concept of encryption is that it is a way of protecting the privacy of data by making it into an unreadable format so that no one can identify a person. It should be noted that the role of the encryption key is really important as if it gets compromised the encrypted data could be decrypted and the person will be identifiable.
So we must conclude that personal data that is been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.
Encryption is considered to be an appropriate security measure for privacy by design and by default concept under GDPR compliance. Even though GDPR encryption standards are not mandatory, it is nevertheless an effective data protection solution since it encodes information into a non-readable format that only an authorised party can access and read. In this sense, a GDPR data encryption technology can benefit your business, particularly when it comes to avoiding data breaches.
Whether or not the data privacy regulations like GDPR applies to your company, encryption is an essential component of any data security strategy. Implementing data encryption will protect your company from data breaches and high-cost fines, which could be far greater than the cost of implementing.
Get in touch to have a free discussion around the subject, to discuss your security concerns or scheduling an assessment.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.