GDPR: Encryption is not a “get out of jail free” card
Another day and another e-mail or banner ad touting encryption as the 'solution' to all GDPR woes.
Vendors have been quick to jump on the encryption bandwagon. Despite only appearing four times in the text – encryption is one of only two techniques specifically mentioned which provides mitigation in the event of a data breach. This has led many to assume that encryption is all that’s required – overlooking many of the GDPR’s more subtle nuances.
One claim, often made, is that encryption obviates the need to do anything the event of a data breach. Of course, the reality is a little different.
Read the flaming regulation!
The first port of call is the regulation itself. Articles 33 and 34 deal with the notification of the supervisory authority and the data subjects respectively. Whilst encryption ismentioned under Article 34 – it never actually makes an appearance under Article 33 – notifying the supervisory authority. Encryption does NOT obviate the need to contact the authority in the event of a data loss, nor does it obviate the need to fully investigate and document the breach under 33(5):
33.5 The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.
A data breach is broadly defined
If we step back further, looking at the definition of a data breach, then Article 4(12) clearly defines this as:
4.12 ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
Access is one area that most people struggle with. If your cleaner sits down at a desktop to play solitaire and accidentally brings up a list of patients or credit card details – then a personal data breach has occurred.
Destruction is another area that even some IT managers cannot seem to get their heads around. If a disk dies – taking the only copy of personal data with it – then that’s a data breach. Equally, if that data has a backup but takes a week to get fully restored – that’s also a breach not least because Article 32(1c) demands:
32.1.c the ability to restore the availability and access to personal data in a timely mannerin the event of a physical or technical incident;
Article 29 Working Party has produced guidelines which are currently close to finalisation. Here are some useful snippets:
A confidentiality breach involving properly encrypted personal data may not need to be notified to the supervisory authority. This is because such a breach is unlikely to pose a risk to individuals’ rights and freedoms.
But goes on to say:
…this may change over time and the risk would have to be re-evaluated. For example, if the key is subsequently found to be compromised, or a vulnerability in the encryption software is exposed, then notification may still be required.
On the subject of losing the only copy:
…if there is a breach where there are no backups of the encrypted personal data then there will have been an availability breach, which could pose risks to individuals and therefore may require notification.
Finally, the issue of recovery from a backup:
Similarly, where a breach occurs involving the loss of encrypted data, even if a backup of the personal data exists this may still be a reportable breach, depending on the length of time taken to restore the data from that backup and the effect that lack of availability has on individuals.
- Encryption is not a get out of jail free card – only part of a much bigger picture.
- In the event of a data breach – the use of state-of-the-art encryption and keys which are both strong and uncompromised may mean you don’t have to notify the supervisory authority. Yet.
- Should vulnerabilities be found in the encryption, should the keys become compromised, should the device otherwise be found vulnerable – then notification will be required.
- Should the loss result in a loss of availability of that information (loss of the only copy or an inability to restore in a timely manner) then that may also require notification.
- None of this obviates the need to investigate and document every breach under Article 33(5).
Let’s hope I’ve set the record straight!