GDPR and Encryption
When it comes to any Personally Identifiable Information (PII) that you hold, the GDPR requires you to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. This is known as the ‘security principle’.
The risk we are talking about here is data breach and GDPR has a specific #CDR solution in mind: “the pseudonymisation and encryption of personal data”. The legislation recommends pseudonymisation and encryption as examples of appropriate security measures to safeguard PII in case of accidental of unlawful loss, unauthorised disclosure or access to PII within your remit.
The ICO’s Guide to the GDPR addresses practical applications of the security principle as it relates to encryption (among other things) at length here. The bottom line is that in this area, like others, the GDPR proposes a risk-based approach. Having said this, if you don’t opt to encrypt your PII you will need to demonstrate that you are using alternative means to appropriately protect your PII at rest (data storage such as in a database) and in motion (data transport like an email or form)…and we can’t think of any.
What about the ePrivacy Regulation?
To further tip the scales, the draft ePrivacy Regulation comes down in favour of encryption too, stating that:
“in order to safeguard the security and integrity of networks and services, the use of end-to-end encryption should be promoted and, where necessary, be mandatory in accordance with the principles of security and privacy by design.”
Breach notification and encryption
Finally, the GDPR WP29 guidelines lighten the data breach notification requirements where PII has been encrypted, as long as back-ups exist for the PII in question and:
“the confidentiality of the key is intact – i.e., the key was not compromised in any security breach, and was generated so that it cannot be ascertained by available technical means by any person who is not authorised to access it”. This makes life a lot easier for businesses where data breaches occur, avoiding public uproar and lost consumer trust following the very public ‘mea culpa’ to the regulator and data subject otherwise required.
So - what is encryption?
Encryption turns data into an encoded version, using encryption algorithms and an encryption key. This data is then decoded via a decryption key or code. Without this key, it should be impossible to read data even if you can access it.
From version 8.2 onwards, Sitecore has anonymised and hashed IP addresses. Sitecore has upped the ante with version 9 which supports the use of strong security measures to protect PII throughout the product lifecycle. This includes encryption of data at rest and in motion. Sitecore’s development process includes an exercise in identifying potential PII data so that all the hard work is done for you and data can be automatically encrypted allowing for immediate data privacy compliance on the encryption front.
At Nemetos Tanasuk we can identify and build the most viable encryption solution for your business, whatever system you are currently running, by exploiting the best of the patches and updates out there. Encryption instantly professionalises your data handling practices, enhancing the quality of your brand.
This brings us to our next subject: forms.
Obviously forms are PII heavy and a personal data disaster waiting to happen if we think about a data breach-type situation and applying the security principle. Assuming you have encrypted data in motion though, we could help you mitigate against this risk.
As part of your data mapping exercise, we can help you to identify the forms that are not strictly necessary to your business and take these down. You’d be well advised to turn off saving drafts of forms at the same time. Sitecore allows you to disable saving unsubmitted forms so you would be on the road to data privacy compliance if you have already encrypted data in motion. A security certificate, Https://, is a step towards encrypting data entered into a site form. The last step would be for us to add a user-friendly consent for data subjects to each form, recording the date and time of consent in an easily accessibly manner. We can build these consents to sync with your existing forms and databases.
As a longer-term one-stop solution to the many sources of PII collected by multiple forms in different places, in our last blog we spoke about integrating your website and CRM. Integration allows new viewers to register in the CRM directly and simultaneously give their consent to you to process their PII. This sort of customised solution would nullify the need for forms altogether, creating efficiency by helping you cut your processing costs as well as being ahead of the curve when it comes to Corporate Data Responsibility and GDPR compliance.
Looking at encryption and forms are just two simple ways that we at Nemetos Tanasuk are implementing PII responsible practices for our clients – whatever systems they are currently running – in the countdown to GDPR. We would love to discuss your data handling practices with you and show you a few simple strategies for your business to instantly refresh and streamline your PII processes. Do not hesitate to contact us for more information.
- 1. Corporate Data Responsibility
- 2. Personalisation and Personally Identifiable Information (PII)
- 3. How to avoid a #DeleteFacebook debacle: CDR surfacing solutions
- 4. Responsible PII Practices
#PIIResponsiblePractices #GDPRCountdown #CorporateDataResponsibility