Encryption is an easy win for aspects of GDPR compliance

A stolen laptop with encryption software would count as a physical loss, not a data one.

Firms may have a difficult time justifying a decision not to encrypt certain data when new data protection rules are brought into force next year, according to an expert.

While the Global Data Protection Review does not require firms to encrypt data, the simplicity of doing so in some cases makes it an easy way to add a layer of protection to your files, Bernard Parsons, CEO and co-founder of Becrypt, told pfm.

Encryption software works by running data through an algorithm, which scrambles and makes them unreadable to anyone that does not have the key, which is usually a password.

“If a laptop that has encryption software on it is stolen or lost, a firm would still have to notify the authorities under GDPR but it is classified as a physical loss, not a data loss. You wouldn’t have to inform every individual whose information is held on the computer as you would if the data was accessible,” Parsons said.

But while it seems like a logical way of protecting data, whether encryption is suitable for a company depends on what it is hoping to protect against by doing so, he said.
“If it is data held on a laptop then the software would need to be installed on each individual machine, but it’s a simple process. The user won’t be affected by it,”
Parsons said. “But in the case of email encryption it can require more burdensome key management.”

While the content of some emails may be sensitive, others are more run-of-the-mill and so encryption is not necessary. There are also, ironically, security issues associated with email encryption that makes it much more burdensome.

“Because you need to recover the data with a key you have to decide who has access to that key, who it can be safely shared with,” he said. “With a laptop, unless it’s a shared machine, only one person needs the password so it’s much simpler.”

Similar to email, encrypting a database may create more complications than it solves, so it is important to balance the perceived benefits with the potential complexity.

“Encryption is certainly one tool to use, and it has its place but the GDPR data
protection principles are very broad, and require a firm to think a lot more carefully about the data, how it is processed, what it is used for and whether it is needed,” Parsons said.