GDPR Compliance

The Role of File Encryption

How File Encryption Helps Fulfill GDPR Requirements

The General Data Protection Regulation (EU GDPR) needs to be implemented by May 25, 2018, as companies that handle the personal data of EU citizens will otherwise face severe penalties. Data encryption is an important aspect of the GDPR. This article shows you why data encryption will become indispensable, and which solutions are available.

The GDPR and the Consequences of Non-compliance

What day of the week is May 25, 2018? You wonder why I’m asking? Well, this is a date that should be marked indelibly in the office diaries of all companies and government agencies. This much we can reveal: It’s the Friday after Whitsun. No doubt, it’s a time when quite a few people will be enjoying a brief holiday. But May 25 has a special significance in 2018, as it is the date on which all companies and government agencies that use personal data of EU citizens will be required to implement the EU General Data Protection Regulation (GDPR). And it is entirely inconsequential whether or not the company headquarters are located in the EU.

So we need to get ready for this particular Friday. Article 79 EU GDPR states that severe penalties of up to €20 million or four percent of the global corporate revenue can be imposed in the case of non-compliance. The fine will be “in all cases effective, proportionate and deterrent”, depending on which amount is higher. So in the case of the family firm Joe Bloggs & Son, the monetary value may indeed be significantly less than for a multinational – but it will certainly be painful and perhaps even threaten the existence of smaller firms.

These Prominent Data Mishaps Caused Quite a Stir

There have been increasingly frequent reports in the daily newspapers of data mishaps, irrespective of their cause, repercussions or significance. A few examples, maybe?

One of them involving probably the most prominent victims was reported in spring 2015: The immigration authorities in Australia mistakenly sent an email with the personal data of 31 heads of state and government to an organizer of soccer matches.

Already in the headlines for all the wrong reasons, the transport service provider Uber suffered one of the most recent, newsworthy examples when hackers stole the personal data belonging to around 57 million (!) customers. Although the case was known at the end of 2016 already, it did not reach the public eye until November 2017.

But not to worry, this kind of data disaster had already occurred before 2015, and of course in the period between the two examples as well. In some cases, we all get to know of what has happened when the daily newspapers print their headlines, but in other cases we will only learn of them in relevant specialist magazines and often with a considerable delay.

Why Encryption is Such a Vital Part of the GDPR

It is a) logical and b) actually irrelevant that a General Data Protection Regulation will be unable to prevent all conceivable data mishaps at the drop of a hat. Equally, it is true that there will never be one solution to satisfy all the requirements of the GDPR. However, I’d like to use this opportunity to highlight the issue of encryption and I certainly don’t mean unintentional, malevolent encryption (Ransomware!) that has made for increasingly frequent and apocalyptic headlines in the recent past.

What I mean is benevolent encryption that permits controlled data access. I can almost hear the critics’ voices and their interjections: “Encryption is too complicated, eats up too many resources and kills the performance of databases and applications”. It is without a doubt true that reasons such as these ones are often presented to postpone the implementation of an encryption solution or to shelve any plans entirely. Let’s not forget: only just over one third of all companies encrypt their own business documents.

On the other hand, however, the GDPR explicitly recommends the use of encryption, and doing so will exempt the companies from the obligation to provide immediate notification in the case of a data breach. 

As we read in Article 34 GDPR:

"Art. 34 GDPR Communication of a personal data breach to the data subject […] (3) The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met: a) the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption; […]"

When is Hard Disk Encryption Sensible?

First, you should ask yourself a few fundamental questions: What happens if a device is lost or stolen? The widespread use of mobile devices in corporate settings is making hard disk encryption increasingly important. The operating systems on most devices have a proprietary encryption solution, for instance Microsoft BitLocker for Windows or Apple FileVault 2 for macOS. But you’ve probably encountered the situation in your own organization: Your colleague Joe only uses devices with a Windows operating system, while Mike has a clear preference for Mac. Things get more exciting if we consider that your colleague Mike also uses mobile devices and tablets that run on iOS and Android. Doubtless he’ll be keen to integrate and find sensible uses for each of these devices. This is why it is imperative to find an integral solution that provides central management of encryption and recovery functions for various platforms.

It is equally clear that however important hard disk encryption may be it will not fix all the problems on its own.

Yes, lost and stolen devices are protected.

No, hard disk encryption does not protect devices that are currently in use from targeted attacks, hacking, malware or human error. This urgently requires file encryption.

File Encryption: Which Data Needs to be Encrypted?

People tend to make things more complicated than they need to be. It goes without saying that an “encryption strategy” let loose may quickly reach an overwhelming degree of intricacy:

Which employee in which department is entitled to access which data, and how often? Which data need to be included in mandatory encryption? When might encryption be necessary in particular circumstances only? How do we define these requirements? Moreover, are there data that cannot yet be defined – as things stand – in terms of their encryption relevancy? What happens when all the rules that are used to classify data in terms of their encryption requirements fail, and precisely these data are breached? … There are many important questions.

Alternatively, organizations can take the easy approach and say: We will encrypt everything as a matter of course! After all, each of our data possesses the same importance and requires equal protection!

Further along the line, of course, it is necessary to ensure that the encryption solution is transparent – in regard to its en- and decryption, as well as to data access. And the best encryption is one that users will not even notice.

Sophos SafeGuard: The uncomplicated way to encrypt your data immediately after its creation

I want to point out the Sophos product SafeGuard as an example. SafeGuard was originally developed by Utimaco, a German IT security solutions vendor. Sophos took over Utimaco in the middle of 2008, and included SafeGuard in its portfolio.

Sophos SafeGuard encrypts content immediately after its creation. Encryption takes place without interruption and therefore does not disrupt normal workflows. Whether the file is encrypted on your colleague Mike’s Mac and then decrypted on Joe’s Windows device and whether data are exchanged inside the company or with externals – SafeGuard provides a handy and easily manageable solution.

  • Managed Security
  • GDPR, Encryption, Data Security, Data Management

Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment


Dirk Frießnegg

Solution Advisor IT-Security

Endpoint security against modern threats such as Ransomware

Related Articles

  • 18 March 2022
  • Managed Security, Cybersecurity User Awareness, Cyber Threat Bulletin, Cybersecurity
  • Security, Cyber Security

IT Security and Kasperky

IT Security is a paramount consideration for all businesses. German Federal Office for Information Security (BSI) sent out a warning statement concerning Kaspersky software. If you have concerns or queries on how best to secure your IT…

  • 18 March 2021
  • Bala Sethunathan
  • Managed Security
  • Penetration Testing, Cyber Security

How to Prevent Cyber Attacks through Penetration Testing

Penetration testing imitates a cyberattack to help assess security measures - and new advances in automation are changing the game. Learn more.

What is the focus of your Java strategy?

Where is the Focus of Your Java Strategy?

Compliance, Security, Costs: The key elements of a solid Java licensing strategy.