Encryption is Central to EU GDPR’s Demand for Privacy

Starting May 2018, any business offering goods and services to European Union (EU) citizens will have to comply with new General Data Protection Regulation (GDPR) rules.

These rules explicitly require companies to take all measures necessary to protect the integrity of consumer data that they process or store.

A key principle of GDPR is “privacy by default” which requires the digital information in everything from emails and mobile apps to cloud storage systems and machine-to-machine (M2M) communications to be kept private and secure at all times.

Studies show that U.S. organizations are no less committed to GDPR compliance as those in the EU.

One of the most powerful protection measures a company can take is to encrypt data at every stage – in use, in motion and in storage.

A tried and tested way to transport sensitive personal data securely across public networks is via business-grade Virtual Private Networks (VPNs).  VPNs provide an encrypted tunnel to communicate privately between email and mobile connections as well as internal databases and cloud storage facilities.

At the heart of GDPR is the notion that privacy is a human right.

Unfortunately, large-scale data breaches plainly show organizations often struggle to provide adequate protection for the personal information they hold. It seems many businesses are losing track of customer data as it spreads across multiple systems and is shared with many different parties.

Through system privacy “by design” and “by default” GDPR will force organizations to take better care of data protection or risk fines of up to €20 million or 4% of their annual global turnover.

Earlier this year, the European Parliament went even further by publishing a draft report that is firmly in favour of strong end-to-end encryption. It advocates that tech companies ensure they can protect customers' communications from unauthorized access or alterations and that confidentiality should be guaranteed by the means of the transmission used.

With GDPR only a few months away, many businesses still appear to be far from ready.

In the UK, a report by legal firm Blake Morgan found that 9 out of 10 businesses still have not made crucial updates to their privacy policies.

Meanwhile, a study by Citrix found almost two fifths (38 percent) of respondents were not ready for GDPR. They either admit their control access policies are insufficient to comply with the regulation or they have ‘no idea’ whether or not they meet the regulation’s standards.

U.S. companies, by contrast, are in better shape. Of 200 companies in a Veritas survey, 35% were in compliance. U.S. companies also plan on spending 20% more than European companies to comply.

Elsewhere, a PwC survey of 200 U.S. companies with more than 500 employees found 77% plan to spend at least $1 million on GDPR compliance.

One area that is causing concern for organizations in respect of GDPR is the cloud.

Research by cloud data protection specialist Eperi has revealed that more than half of security professionals admit incoming data protection requirements might stop them from putting sensitive data in the cloud.  An even higher proportion (72%) said they would have to think twice about their cloud data security arrangements because of the new rules.

For some, the debate centers on whether it is safe to leave encryption of sensitive data up to cloud service providers while for others it’s about where in the world cloud data should reside so that complete privacy protection can be guaranteed.

Complete security entails all personal data in files, emails, mobile, cloud and M2M communications having strong encryption applied to it.

The only protection technologies GDPR mentions specifically are encryption and pseudonymization, in which data is masked. Companies using these technologies will not have to notify individuals in the event of their personal information being compromised as a result of a data breach.

Many businesses already use VPNs to encrypt sensitive communications and keep it private.

They allow organizations to connect securely so that sensitive personal data in emails, mobile apps, cloud systems and M2M communications stays private. Encryption occurs automatically without users having to think about it.

The best VPNs support both IPSec and SSL encryption protocols as well as seamless connectivity between data networks and Wi-Fi. It is also important that the organization’s IT support staff can control the VPN clients and components remotely from a central management console.

In summary, encryption is a powerful data protection measure and central to compliance with the EU GDPR requirement for privacy by default. It renders personal data unintelligible to unauthorized third parties and would prevent most of the data breaches we see in the news.

VPN technology together with a clear knowledge of where data resides and the acknowledgment of enterprise accountability for protecting personal information are the central pillars on which GDPR compliance stands.

Subscribe to blog

CAPTCHA image for SPAM prevention If you can't read the word, click here.