The UK equivalent of the Dutch Data Protection Authority (the "Authority"), the Information Commissioner's Office ("ICO"), has issued guidance on data encryption under the General Data Protection Regulation ("GDPR"). The Guidance is a useful tool for companies wishing to implement encryption as a technical measure for protecting personal data.
GDPR
Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (Article 5(1)(f) GDPR). Article 32 of the GDPR mentions encryption as one of the relevant measures that may be implemented.
Encryption
Encryption means that information is converted into code in order to prevent unauthorised persons from being able to read the information. A distinction is made between asymmetric and symmetric encryption. Asymmetric encryption uses a key pair: a secret key and a public key. The information encrypted cannot be decrypted without the secret key. Symmetric encryption uses one and the same key for encryption and decryption.
In both cases, a secure method must be selected for sending the key between the sender and the recipient. Also, in both cases it is important that the key is always up to date if it is to offer sufficient protection, as the key must survive the life of the encrypted data. This means that what may be an adequate key today might be a poor key a year from now, given the ever more powerful computing capacity of computers.
Processing encrypted personal data is also processing
Article 4(2) of the GDPR defines "processing" as any operation or set of operations which is performed on personal data or on sets of personal data, including "adaptation or alteration". The encryption of information into encrypted text ("ciphertext") means that the information is "adapted or altered". Therefore, the encryption itself is processing within the meaning of the GDPR.
When an entity, irrespective of whether it acts in the capacity of a controller or a processor, has encrypted personal data and is responsible for managing the key, this also constitutes processing within the meaning of the GDPR. Processing within the meaning of the GDPR is also involved if the encrypted data are subsequently stored, retrieved, consulted or otherwise used.
When should encryption be applied?
The ICO indicates that encryption should be considered as a security measure instead of or in addition to other technical and organisational measures. Sector- or industry-specific rules may apply that prescribe a certain minimum standard (such as the Advanced Encryption Standard (AES)) or specific policy for personal data encryption. Encryption is used primarily in the storage and transfer of personal data. A well-known example of an encryption protocol is HTTPS. HTTPS is a combination of HTTP and TLS for encrypted communication with, and the secure identification of, websites. A more secure variant of HTTPS is HTTP Strict Transport Security (HSTS). However, a discussion of HSTS is beyond the scope of this blog.
An encrypted data transfer without additional encryption methods (such as encrypted data storage) only involves the encryption of data during the transfer; data may not be encrypted after arrival (and decryption) in the recipient's system. Furthermore, there is a risk of the metadata of the data being sent in unencrypted form during the transfer. In this context, the ICO advises that the Transport Layer Security (TLS protocol, v1.2 or later) be used when sending personal data.
Encryption does not necessarily mean that the encryption as such offers sufficient safeguards against unauthorised or unlawful processing. It is important to ensure that the use of encryption offers adequate protection against the risks associated with the specific processing operation and the nature of the personal or other data. A Data Protection Impact Assessment ("DPIA") and other measures allow companies to determine the degree of encryption needed, or to determine what other security measures they need. Depending on the nature of the data to be processed, a company may be required to carry out a DPIA under Article 35 of the GDPR.
The advantage of encryption: there is not always a notification obligation
Under Article 33 of the GDPR, a personal data breach must be notified to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the data subjects. Furthermore, it follows from Article 34 of the GDPR that the controller must inform the data subject(s) of a personal data breach if the breach is likely to result in a high risk to the data subjects, unless the controller has implemented appropriate technical and organisational measures and has applied those measures to the personal data affected by the breach, in particular those that render the personal data unintelligible to any person who is not authorised to access them, such as encryption.
The ICO takes the position that the loss of an encrypted data set may still involve a risk to the rights and freedoms of data subjects as referred to in Article 33 of the GDPR, which means that the supervisory authority must be notified of this.
According to the ICO, this means for properly encrypted data that this will not generally result in a high risk to data subjects, as a result of which the ICO does not need to be notified. This does leave the obligation for the controller to demonstrate that the data at issue were in fact properly encrypted. If the controller succeeds in doing so, it must still document why it decided not to inform the data subjects.
In short, knowing how to handle properly encrypted data (on laptops, telephones, USB memory sticks, CDs, DVDs, backup devices or servers, or in the event of a data transfer, whether wireless or not) may prevent a lot of trouble for both the controller and the data subject in the event of a personal data breach.
Risks
The ICO Guidance also points out a few risks that continue to exist despite encryption. These may be found, for example, in the event of:
- leaving an encrypted device unattended while a user is logged on;
- devices storing data in encrypted parts of a hard drive/server when these encrypted parts are not closed when a user has finished his work;
- the presence of malware (including an SQL injection attack) on a device; or
- an Application Programming Interface (API), which allows the content of a website to be read and files to be written on the underlying system.
In all these examples, an unauthorised person will be able to gain access to the data despite the data being encrypted. That is why tackling such risks is a major component of a sound encryption policy. An encryption policy should also encompass awareness training for staff.
The UK equivalent of the Dutch Data Protection Authority (the "Authority"), the Information Commissioner's Office ("ICO"), has issued guidance on data encryption under the General Data Protection Regulation ("GDPR"). The Guidance is a useful tool for companies wishing to implement encryption as a technical measure for protecting personal data.
GDPR
Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (Article 5(1)(f) GDPR). Article 32 of the GDPR mentions encryption as one of the relevant measures that may be implemented.
Encryption
Encryption means that information is converted into code in order to prevent unauthorised persons from being able to read the information. A distinction is made between asymmetric and symmetric encryption. Asymmetric encryption uses a key pair: a secret key and a public key. The information encrypted cannot be decrypted without the secret key. Symmetric encryption uses one and the same key for encryption and decryption.
In both cases, a secure method must be selected for sending the key between the sender and the recipient. Also, in both cases it is important that the key is always up to date if it is to offer sufficient protection, as the key must survive the life of the encrypted data. This means that what may be an adequate key today might be a poor key a year from now, given the ever more powerful computing capacity of computers.
Processing encrypted personal data is also processing
Article 4(2) of the GDPR defines "processing" as any operation or set of operations which is performed on personal data or on sets of personal data, including "adaptation or alteration". The encryption of information into encrypted text ("ciphertext") means that the information is "adapted or altered". Therefore, the encryption itself is processing within the meaning of the GDPR.
When an entity, irrespective of whether it acts in the capacity of a controller or a processor, has encrypted personal data and is responsible for managing the key, this also constitutes processing within the meaning of the GDPR. Processing within the meaning of the GDPR is also involved if the encrypted data are subsequently stored, retrieved, consulted or otherwise used.
When should encryption be applied?
The ICO indicates that encryption should be considered as a security measure instead of or in addition to other technical and organisational measures. Sector- or industry-specific rules may apply that prescribe a certain minimum standard (such as the Advanced Encryption Standard (AES)) or specific policy for personal data encryption. Encryption is used primarily in the storage and transfer of personal data. A well-known example of an encryption protocol is HTTPS. HTTPS is a combination of HTTP and TLS for encrypted communication with, and the secure identification of, websites. A more secure variant of HTTPS is HTTP Strict Transport Security (HSTS). However, a discussion of HSTS is beyond the scope of this blog.
An encrypted data transfer without additional encryption methods (such as encrypted data storage) only involves the encryption of data during the transfer; data may not be encrypted after arrival (and decryption) in the recipient's system. Furthermore, there is a risk of the metadata of the data being sent in unencrypted form during the transfer. In this context, the ICO advises that the Transport Layer Security (TLS protocol, v1.2 or later) be used when sending personal data.
Encryption does not necessarily mean that the encryption as such offers sufficient safeguards against unauthorised or unlawful processing. It is important to ensure that the use of encryption offers adequate protection against the risks associated with the specific processing operation and the nature of the personal or other data. A Data Protection Impact Assessment ("DPIA") and other measures allow companies to determine the degree of encryption needed, or to determine what other security measures they need. Depending on the nature of the data to be processed, a company may be required to carry out a DPIA under Article 35 of the GDPR.
The advantage of encryption: there is not always a notification obligation
Under Article 33 of the GDPR, a personal data breach must be notified to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the data subjects. Furthermore, it follows from Article 34 of the GDPR that the controller must inform the data subject(s) of a personal data breach if the breach is likely to result in a high risk to the data subjects, unless the controller has implemented appropriate technical and organisational measures and has applied those measures to the personal data affected by the breach, in particular those that render the personal data unintelligible to any person who is not authorised to access them, such as encryption.
The ICO takes the position that the loss of an encrypted data set may still involve a risk to the rights and freedoms of data subjects as referred to in Article 33 of the GDPR, which means that the supervisory authority must be notified of this.
According to the ICO, this means for properly encrypted data that this will not generally result in a high risk to data subjects, as a result of which the ICO does not need to be notified. This does leave the obligation for the controller to demonstrate that the data at issue were in fact properly encrypted. If the controller succeeds in doing so, it must still document why it decided not to inform the data subjects.
In short, knowing how to handle properly encrypted data (on laptops, telephones, USB memory sticks, CDs, DVDs, backup devices or servers, or in the event of a data transfer, whether wireless or not) may prevent a lot of trouble for both the controller and the data subject in the event of a personal data breach.
Risks
The ICO Guidance also points out a few risks that continue to exist despite encryption. These may be found, for example, in the event of:
- leaving an encrypted device unattended while a user is logged on;
- devices storing data in encrypted parts of a hard drive/server when these encrypted parts are not closed when a user has finished his work;
- the presence of malware (including an SQL injection attack) on a device; or
- an Application Programming Interface (API), which allows the content of a website to be read and files to be written on the underlying system.
In all these examples, an unauthorised person will be able to gain access to the data despite the data being encrypted. That is why tackling such risks is a major component of a sound encryption policy. An encryption policy should also encompass awareness training for staff.