The European data protection regulation is increasingly creating a more and more sensitive environment with regards to data protection issues. The GDPR has managed to raise consciousness among companies that process personal data about how they handle and treat them. However, the Regulation only defines what is to be achieved and not precisely how. It follows the data protection principles in Article 5:
In the context of this blog we want to focus on the last point of these data protection principles. Article 32 of the GDPR sets concrete requirements for the security of processing personal data. The article states that, considering the technological state of the art, implementation costs, ..., the seriousness of the risk to individual rights and freedoms, appropriate technical and organisational measures must be taken by the processors to ensure an appropriate level of protection. Among other things, the article explicitly includes the encryption of personal data.
If you determine in the course of a risk analysis that there is a substantial risk to the persons affected by your processing, you should pseudonymise or encrypt these data in addition to general information security measures. However, do not forget that the GDPR also requires proof of actual protection (Art 5(2) "Accountability"). To ensure your compliance with the GDPR, you should therefore not only have the appropriate data encryption options, but also be able to prove that you actually use these options.
In the case of internal processes for data processing and the associated IT systems, the ability to provide the relevant evidence is usually not too difficult. Since you have access to the systems and the processes are usually operated on your premises, you can prove how they are configured and whether the corresponding protection mechanisms (e.g. hard disk encryption) are used.
What about your e-mails, the most important tool for business communication today? Here the encryption is not so simple anymore, as this is mostly related to the user-friendliness. We all know it: what is not easy or runs automatically, is only used occasionally or not at all. But also, here you need to encrypt sensitive data and proof it. It must be verifiable that all e-mails containing personal data have been sent encrypted from the sender to the recipient. The ideal solution for this is Frama RMail. You can read in our whitepaper how you can provide this proof of secure email encryption with Frama RMail.