Last updated: 22 August 2017
Last week we covered GDPR’s ‘Right to Be Forgotten’ – a subject that has been grabbing a lot of the GDPR related headlines lately. Perhaps overshadowed however has been much of GDPR’s core data requirements which focus on data control. These control requirements appear across a number of the mandate’s articles. However Article 5 entitled “Principles relating to processing of personal data” contains the bulk of the requirement. Edited to include the relevant sub-points, Article 5 states:
“1. Personal data shall be:
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1).
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”
Let’s translate this into plain language and break it down point by point to see what’s at stake. In essence, Article 5 says data:
(b) can only be processed for the reasons it was collected.
(d) must be accurate and kept up-to-date or else should be otherwise erased
(e) must be stored such that a subject is identifiable no longer than necessary
(f) must be processed securely.
Each of these requirements present their own unique challenges. So, how does an organization concerned about their data’s privacy meet all of these requirements simultaneously?
Encryption and key management, which by design attaches security directly to the data itself, gives organizations the level of data control that GDPR asks. Ultimately, with encryption, only key holders are capable of accessing data; the manner – both technically and organizationally – by which organizations restrict encryption key access will ultimately determine access to cleartext data. Many encryption solutions include policy-based access controls that layer with standard encryption/key management functionality to more finely restrict key access and consequently data according to roles, responsibilities, and/or context. Such controls, for example, could make sensitive information such as social security numbers only available at certain times of the day to specific applications using a defined set of rules and credentials. Such an approach minimizes the time that subject information is exposed in clear text to comply with subsection e (that it must be stored such that a subject is identifiable no longer than necessary). When it is a question of securing the data during processing, format preserving encryption solutions can keep data secure while in use by the application without ever exposing the subject’s identity to satisfy subsection f (that it must be processed securely).
With this basic understanding in mind, the general GDPR picture becomes clearer. Encryption allows organizations to decide who or what accesses data, when they access it, and how. The byproduct of deciding the who, what, when, where and why is clear and transparent oversight of the data which in turn is the method by which administrators assure its integrity. Restricting data access ensures that the only modifications made to data are authorized ones. By controlling access to the key and monitoring its use, organizations know about all changes to the data, and more importantly have a verifiable record for regulators. Emerging trends suggest that instead of simply stealing data hackers are now surreptitiously altering data and profiting from the disruption it causes. Why steal data when one can manipulate companies to then profit by trading legally on the stock market? Encryption prevents such secret manipulation to preserve data’s integrity in compliance with subsection d (that it must be accurate and kept up-to-date or else should be otherwise erased).
GDPR goes on to further mandate in Article 32, section 4 that “The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.”
Whereas Article 5 outlines larger control principles, Article 32 gets into the types of relationships that organizations deal with in their day-to-day operations. For many data transfers are a regular part of business; those transfers can vary widely from internal collaboration across units to external partnerships with suppliers. In such instances, how can an organization ensure that data transfer recipients – or even administrators responsible for core operations – only process data when permissible? Here encryption and key management saves the day again. Administrators can simply provide the encryption key when along with their clear instructions when data processing should begin. Until that point, data processors – whether internal or external – to the organization won’t be able to proceed in using the data.
Alternatively, administrators could tie instructions to access control policies. Once instructions were given to the data processor, administrators could change the policy tied to a data set or a key so that the processor could proceed with their operations. For example, an organization could set a policy defining a date, time and/or authorized user to assure that a partner processes their data only when instructed to do so.
The approaches here are flexible and can be determined based on whether the organization wants to grant the key outright or just temporary access to the key. These straightforward methods work across the board and can apply wherever the data is located to comply both with Article 32 and Article 5 (b) (that data only be processed for the reasons it was collected).
Clear, verifiable data control is the common theme across all of these requirements. Encryption’s beauty is the simplicity of its approach. Security attaches directly to the data itself. It doesn’t matter if that data is backed up into the cloud or replicated to another data center, only the appropriate key holder will be able to access it. It doesn’t matter if hackers bypass network perimeters or if administrators with privileged rights access sensitive systems, encryption can keep data safe. It makes sense, if an organization is to protect their data’s privacy over an ever expanding global footprint while hacks and breaches are publicized daily, then they need to be in control of their data no matter the circumstances. That’s it for this week. Next week we’ll explore GDPR’s breach notification obligations and what you can do to protect yourself and your customers from breaches, fines and the public embarrassment that often accompanies them.
Need to learn more about GDPR Compliance? Check out The General Data Protection Regulation ebook.