In a recent blog post the Spanish Data Protection Agency (AEPD) released some guidance on data protection and the use of encryption. This article is not going to be a technical exploration of the tools available, for a technical review please see this previous article. Instead, this article addresses some considerations when choosing how and when to implement this essential technology.
The Irish Data Protection Commission has touched on encryption and provided limited advice, stating that the technology ‘…can add a further useful layer of security. It is considered an essential security measure where personal data is stored on a portable device or transmitted over a public network.’ At recent public events, the current Commissioner has gone further and said that her office would expect to see encryption utilised whenever personal data is at rest or in transit as a basic part of an organisation’s approach (Technical and Organisational Measures) to the security of personal data. In their opinion, 256 bit encryption is currently a suitable standard to apply, while acknowledging that technologies are developing rapidly (useful explanation of what this means can be found here). The level of encryption being implemented should be recorded in the organisation’s Record of Processing Activities (a document to aid in compliance with Article 30, GDPR).
The ICO also provides advice on encryption that is more detailed than the DPC’s, as it addresses specific types of encryption. It also recommends that personal data should be stored in an encrypted form to protect against unauthorised access or processing in general, but especially if the loss of the personal data is reasonably likely to occur and would cause damage or distress to individuals.
The blog from the AEPD avoids specifying what technology to use, but does set out useful considerations when choosing how to implement encryption, acknowledging that it is not a simple choice to make. Central to their message is that encryption is not just one technology; it is a range of technical and organisational systems, and each has different characteristics. Therefore, a Controller must analyse and choose the most appropriate encryption for the product or service being implemented and the personal data being processed.
Lifetime of personal data
The AEPD notes that the choice of encryption is linked directly to the duration of the life of the personal data within systems. The longer the data is held within a system, either at rest or in transmission, the stronger the level of encryption that will be required. For example, where transmission over a public network may take a long time (high latency) because of poor connections or high volumes of data, there is going to be a higher risk to the data, just as when personal data is stored in a file management system for, say, several years.
The AEPD acknowledges that achieving high strength encryption can be a very expensive requirement. However, ‘very high strength requirements’ are expected to be provided under GDPR especially for Special Category Data. While this obligation on the Controller does not diminish over time, the advancement of technology will consistently diminish the effectiveness of the encryption initially chosen and further costs will likely be incurred.
In addition, Controllers must address the fact that different categories of data carry greater or lesser levels of risk to the data subjects they relate to. The greater this risk the higher the strength of encryption required, and data relating to minors or special category data including data relating to health and ethnicity would require stronger encryption.
In summary, processing of personal data will inevitably incur costs, but an optimal configuration must be found among the different requirements.
Category of Data + Life of the Data = Strength of Encryption and the Related Costs
Choosing a suitable encryption system
The AEDP expects Controllers to undertake an informed risk assessment of the intended processing that matches the available technologies to the level of risk that has been identified to the data subjects.
When choosing a technology to implement, understanding exactly how secure a new encryption system will be can be a real challenge. The more expensive and complicated a system is, the more complicated it is likely to be to evaluate and the more likely it is to be in conflict with business or technical requirements with which it has to operate.
Considerations the AEDP mention that should also be included in this assessment include technical aspects such as latency, establishment time, consumption of resources, performance, portability, as well as usability. Basically, it is not an easy decision and will require input from technical, operational and managerial leaders in the organisation.
We advise the following:
- Review your Record of Process Activities and ensure, as Controller, you process as little personal data for as short a time as possible to meet the declared purposes under your Lawful Basis;
- Decide your encryption needs as part of your Data Protection Impact Assessment so you can include these as input into your procurement process;
- Seek advice regarding software and hardware options from your system suppliers. Many updates to hardware and software systems are now including encryption options as standard to meet demand under GDPR, and many do not noticeably diminish system performance, and;
- As with all risk management for data protection, document your choices and the logic which underpins them.
If you need support in assessing the risks to data protection or assessing the suitability of technical and organisation measures implemented to protect the personal data you process, please feel free to contact one of our advisors at the Data Governance and Cyber-Risk Team.