GDPR and why encryption is important? Encryption is like backup. Everyone agrees that is the right thing to do, but still some will do it, and some will not. With backup, it is a no brainer – you should backup (often, regularly and keep copies off site based on a strategy that is appropriate to your risk appetite). I think the same applies with encryption – if you have sensitive information you should consider encryption.
What is encryption? (See ICO for more details)
Encryption is a mathematical function using a secret value — the key — which encodes data so that only users with access to that key can read the information. In many cases encryption can provide an appropriate safeguard against the unauthorised or unlawful processing of personal data, especially in cases where it is not possible to implement alternative measures.
Why use encryption?
So why should you consider encrypting your data? Well today the use of mobile devices is everywhere (laptops, phones, hard drives, USB sticks) and the risk of these devices being lost or getting into the wrong hands are likely if not very likely. Just look at the latest security breach relating to London Heathrow airport.
Another reason for encryption is the use of the internet. Of course, most would already be using encryption for various internet transactions for example when communicating with the online bank or when visiting sites that have the https in their url. I would suggest that more should also consider using a VPN encryption when accessing the internet from a public wifi.
Deloitte has also had a breach of their email system as reported for example by the Guardian. In addition to emails, the Guardian understands the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information. Some emails had attachments with sensitive security and design details. Perhaps damage could have been limited if either email attachments had been encrypted where appropriate or (perhaps) even better sensitive information was communicated via a secure (encrypted) portal rather than email.
GDPR
GDPR is also asking you to consider encryption. Article 5 of the GDPR requires that personal data shall be: (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5(2) requires that “the controller shall be responsible for, and be able to demonstrate, compliance with the principles.” Having encryption in place will help demonstrate compliance.
In addition, GDPR is also asking you to report any breach but “you only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals.” Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must also notify those concerned directly. If the breach involves data that is correctly encrypted, then the risk should be insignificant. See ICO website for further details.
ISO 27001
ISO 27001 is of course very clear on encryption and asks that controls with the objective “to ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information” are considered.
In JSC Consultant our approach is:
- All our Senior Consultants have an extensive background in business
- They also have many years of ISO 27001 training, assessment and implementation experience
- No project is the same and hence time is spent understanding the specific situation of the client
- Projects typically include a thorough gap analysis and risk assessment as input for the system design
So, if you are considering ISO 27001 call us now (+44 (0)20 8798 9282) to discuss, how we can help you design and implement a great ISO 27001 compliant Information Security Management System and avoid all the pitfalls.
For further information that might be of interest please also see: