parallax background

GDPR compliance & encryption

Send e-mail via TLS.
Email via TLS are secure! Misconception or truth?
5. February 2020
Hund,welcher in eine Decke gewickelt ist und müde aussieht.
Power Nap Day
10. March 2020
To ensure your compliance with the GDPR, you should not only have possibilities to encrypt your data, but also be able to prove that you really use these possibilities. Why and how you can find out in this blog.

The European data protection regulation is increasingly creating a more and more sensitive environment with regards to data protection issues. The GDPR has managed to raise consciousness among companies that process personal data about how they handle and treat them. However, the Regulation only defines what is to be achieved and not precisely how. It follows the data protection principles in Article 5:

  • Legality, fairness and transparency
  • Purpose of the processing
  • Data minimization and memory limitation
  • Objective accuracy of the processing
  • Protecting data and ensuring its integrity and confidentiality

In the context of this blog we want to focus on the last point of these data protection principles. Article 32 of the GDPR sets concrete requirements for the security of processing personal data. The article states that, considering the technological state of the art, implementation costs, ..., the seriousness of the risk to individual rights and freedoms, appropriate technical and organisational measures must be taken by the processors to ensure an appropriate level of protection. Among other things, the article explicitly includes the encryption of personal data.

Significance of GDPR Article 32 for companies

If you determine in the course of a risk analysis that there is a substantial risk to the persons affected by your processing, you should pseudonymise or encrypt these data in addition to general information security measures. However, do not forget that the GDPR also requires proof of actual protection (Art 5(2) "Accountability"). To ensure your compliance with the GDPR, you should therefore not only have the appropriate data encryption options, but also be able to prove that you actually use these options.

In the case of internal processes for data processing and the associated IT systems, the ability to provide the relevant evidence is usually not too difficult. Since you have access to the systems and the processes are usually operated on your premises, you can prove how they are configured and whether the corresponding protection mechanisms (e.g. hard disk encryption) are used.

Proof of encryption in external communication

What about your e-mails, the most important tool for business communication today? Here the encryption is not so simple anymore, as this is mostly related to the user-friendliness. We all know it: what is not easy or runs automatically, is only used occasionally or not at all. But also, here you need to encrypt sensitive data and proof it. It must be verifiable that all e-mails containing personal data have been sent encrypted from the sender to the recipient. The ideal solution for this is Frama RMail. You can read in our whitepaper how you can provide this proof of secure email encryption with Frama RMail.

Mark Schilt
Mark Schilt
Head of Management Systems

Comments are closed.