Encryption, helping address GDPR compliance
As of May 25, 2018, all companies dealing with personal data in the European Union (EU) must be employing a high level of security to safeguard EU citizens’ information. Under the General Data Protection Regulation (GDPR), companies that aren’t taking adequate measures in protecting the data of those residing in the 28 EU countries (prior to Brexit) face fines of up to 20 million euros ($21.9 million) or 4 percent of a company’s global annual revenue. Regulatory authorities will have greater powers to act against businesses that don’t comply.
GDPR sets the baseline
David Broad, Information Security and Audit Lead for Echoworx, says the GDPR sets the baseline for how companies must protect their own information and that of their clients’. The baseline security practices must also be consistent with any third party service the company uses (such as Amazon), even if the company is located outside the EU. Regulations across the EU “used to be a fairly wide patchwork,” says Broad, and the GDPR will harmonize those rules. The EU has always had stringent regulations, but there were significant problems if a company was doing business in multiple countries as rules could differ in each.
“It was seen by many as a disadvantage, and an impediment to business,” says Broad. “Now, there will be one standard everyone understands and knows.”
A logical solution
Encryption is a logical solution for these companies and while it’s not mandatory or the only solution, the GDPR encourages its use as a best practice to protect sensitive information from breaches. Increasingly, encryption is viewed as the go-to method to protect communications in transit and to safeguard stored information, according to Jacob Ginsberg, Senior Director with Echoworx.
Ginsberg says companies are recognizing the importance of encryption and security in thwarting cyberattacks and data breaches and utilizing it. The GDPR encourages the idea of security and privacy by design from the early stages of development, he says. Those two aspects – privacy and security – were not always working in conjunction with each other and the GDPR will help to align them. Encryption can play a role in aligning these aspects.
The importance of encryption
Protecting information in transit – whether through email or large file exchange – can be a challenge for some organizations, as they may not control the network or the email server, and the server may not even be in the EU, says Broad.
“You can’t just send customer data over a network you don’t have control of,” he says. An organization may use some form of encryption for data in transit, or opt not to send encrypted data by email. Instead, it could send a benign message to a client telling the client to log in to the company portal to retrieve the pertinent information.
Not every company wants to build a portal due to the heavy investment in technology required, or because they may not need it all the time. For example, some companies may only need a portal for a short time each year – such as to receive annual tax documents.
Just as Amazon provides e-commerce solutions for sellers who don’t want to deal with logistics, payments, hardware and data storage, encryption providers such as Echoworx can help companies comply with the GDPR by providing encryption solutions and services to help customers protect important data.
By Christian Peel, VP Customer Engineering, Echoworx