The 25th of May 2018 brought along great changes for companies worldwide, with regard to the processing and storage of personal data of EU citizens. With the commencement of the new European General Data Protection Regulation (GDPR) a new, strict set of regulations applies to all companies, which are making use of, or storing personal data of EU citizens in any form. Those regulations are concerned with the protection of the personal data.
In this guest article, we would like to provide you with an overview on some of the changes resulting from the GDPR and introduce you to a solution for secure processing and storing of personal data: end-to-end encryption of the data with Boxcryptor.
Which Changes and Adjustments are Becoming Necessary?
Every company, regardless of its size or the location of the headquarter, has to make adjustments in the following four areas, whenever the data it uses concerns a citizen of the European Union:
- Secure storing and processing of personal data
- Conformity of internal processes with data protection regulations
- GDPR-conformity of third-party providers
- Analysis and documentation of the company’s data structure
- This article deals particularly with the changes and adjustments required with regard to the first area mentioned (i.e. Secure storing and processing of personal data).
How Encryption Enables GDPR-compliant Storage of Personal Data
The storage and processing of personal data is subject to strict stipulations, since the GDPR due date has been reached and the regulation has become valid. Companies now face the requirement to implement the necessary “technical and organizational measures” (TOM) for the protection of the data, and furthermore, to document all those measures thoroughly.
State of the art encryption (of data) is considered to be such a TOM in the eyes of the GDPR. It is thereby, considering the absolute necessity of undertaking a TOM, a measure that should be considered thoroughly by data protection officers.
But there is another reason for companies to use encryption for data protection – and it’s a huge one: If a company with a strong state of the art encryption in place is suffering a data loss or accident, it is not(!) obliged to inform the users concerned with the data lost about the incident. This is, because encrypted data remains inoperative for unauthorized third-parties, due to the secure end-to-end encryption ensuring that the data stays illegible for a possible attacker.
Hence, when a company can safeguard that no one without authorization is able to access the stored personal data – even if an unauthorized person should be in physical possession of the data – the appropriate measures for the protection of the data are in place and thereby, dramatic penalty payments can be avoided.
Do not forget: In case of a violation against the GDPR, companies face vicious penalty payments: Depending on the nature of the violation, these payments lie between 10 and 20 million Euros – or at least 2-4% of the worldwide annual turnover – whichever is the higher amount.
A further crucial advantage that results from strong encryption being properly used: Since a company that has the appropriate TOMs in place is not required to inform the person concerned by the loss of the respective data, there is no negative effect on the trust of this person towards the company.
BEWARE: The nullification of the obligation to inform a person of their personal data being lost when encryption is in place is subject to local data protection laws, which are meant to put the EU regulation into a legally binding framework (e.g. the German Federal Data Protection Act). Therefore, this nullification is not universally applicable, but depending on the EU member state the data incident took place in.
No matter if you are obliged to inform a person of their personal data being stolen or whether the obligation is nullified: We strongly recommend informing your customers or partners of such an incident, while assuring them the information is safe, due to the strong encryption being used. This is probably the better alternative to avoid losing trust than to keep a data loss a secret.
Boxcryptor Encryption Software for Teams – an Overview
A major aspect for a company to become GDPR-compliant with regard to the storage and processing of personal data is that an appropriate and adequate TOM for the protection of this data is in place. State of the art encryption is listed as a TOM.
Boxcryptor is making use of a hybrid encryption and has therefore implemented a combination of the AES-256 and RSA encryption standards. AES is an encryption algorithm of military standard and is used by financial institutes, governments and intelligence services around the world. Deciphering an AES key with a length of 128 bit (AES-128) with a supercomputer of today would require more time than the estimated age of the universe. Doubling the length of the key (AES-256) results in an even exponentiated time required to decipher the key. The second encryption algorithm, RSA, is one of the most commonly used asymmetric encryption systems to date and is based on the mathematical problem of dividing large numbers into prime factors.
Boxcryptor implements a combined encryption process of the two standards. Every file gets its own, randomly generated encryption key, which is generated when the file is created. The hybrid encryption of AES and RSA encryption is used for efficiency reasons and represents a prerequisite for true end-to-end encryption.
There are two attractive license models available for organizations: Boxcryptor Company is the license of choice for small and medium-sized enterprises, while Boxcryptor Enterprise suits the needs of organizations with a large number of users.
All “for teams” licenses enable secure storage and sharing of business data, while protecting the data sufficiently in order to fulfill the GDPR requirements.
All Boxcryptor solutions for the commercial use can be seamlessly integrated into existing processes and workflows. With the support of features such as Single-Sign-On and Azure Active Directory, an additional layer of security is easily put on top of existing business and user management processes. By the application of Boxcryptor within your organization crucial requirements of the European General Data Protection Regulation are fulfilled. Furthermore, does Boxcryptor protect your most valuable data from unauthorized access (potential internal threads) and external attacks by hackers. For more information concerning the encryption solution Boxcryptor visit our Website.
This article focuses on the issue of securely processing and storing personal data with regard to the GDPR. However, since the aspects “Analysis and documentation of the company’s data structure”, “GDPR-conformity of third-party providers” and “Conformity of internal processes with data protection regulations” have an equally high importance, we recommend you to read through our article series concerning the implementation of the changes made necessary by the GDPR, written by Boxcryptor CEO Andrea Pfundmeier.
You can find part 1 of the series here.