I’ve been involved in quite a few conversations over the past few weeks about how GDPR can be fixed “just by encrypting everything” and I’m always puzzled as to why people seem to think that the solution to GDPR is encryption because they couldn’t be further from the truth.
Encryption is certainly a very good tool and it should be used where possible to ensure that in the event of a laptop being stolen or in the case of hard drives going missing or not being wiped/destroyed correctly, data remains inaccessible but GDPR is not about encryption, it’s about a company’s right to have and to process that data.
Let me use a scenario to explain. Let’s say that a customer exercises their right to be forgotten and that all the company does it to mark their records with a “do not contact flag”. Six months on an unscrupulous employee uses that data to sell to another company. You’ve got two GDPR violations right there, the first people ignoring the right to erasure – a tick in a box is not sufficient and the second is the lack of auditing and controls to prevent what just happened. A large part of GDPR is not just identifying the data that you need to protect and putting in processes around that data to ensure that it is protected and that people are aware of their obligations under GDPR.
In another example, same scenario, a customer exercises the right to be forgotten and the company just ticks a box. Let’s say that two weeks later, the server is corrupted and all data lost. The company restores the data from a month before hand (because their backups aren’t very good) and carry on processing. That’s a GDPR violation as the right to be forgotten has been violated by the restore. When that data was restored, the people who requested their right to be forgotten should have had their data removed once the data was restored.
In summary, encryption is a great tool and I encourage it’s use whole heartedly but it is not the solution to GDPR in its entirety, it needs a lot more than that.