GDPR and Encryption

January 24, 2017 By Nicole Chesterman

With GDPR now formally passed into law, StratoKey has released a comprehensive GDPR compliance guide. This guide focuses on how organisations can utlise StratoKey to meet GDPR requirements when using cloud and SaaS applications.

The General Data Protection Regulation (GDPR � 2016/679 ) was approved by the European Parliament on 14 April 2016. With this approval, data protection regulations have been synchronised across all European Union (EU) member states. GDPR is the formal replacement for the EU Data Protection Directive (Directive 95/46/EC ). The effective date that GDPR will come into force is the 25th of May, 2018.

With the passing of GDPR into law, the pressure is now on organisations to get their GDPR compliance in order. With this comes a raft of compliance obligations for organisations handling EU resident�s personal data. GDPR has scope that includes firms based outside the EU.

GDPR Encryption

The purpose of GDPR

GDPR is designed to strengthen and unify protections for individuals' personal information across EU member states. GDPR specifically states "The protection of natural persons in relation to the processing of personal data is a fundamental right". With these stronger individual rights comes an increased obligation for organisations handling personal data to appropriately secure this data, or face penalties.

GDPR penalties

Pecuniary penalties are mandated by GDPR. This regulation establishes the imposition of penalties for the mishandling of personal data. Maximum fines of 20 million Euros or up to 4% of annual worldwide turnover (whichever is greater) can be applied for breaches of GDPR. In addition to financial penalties, organisations can be further sanctioned with bans from processing or suspension of data transfers through to criminal penalties.

GDPR covers personal information that relates to a natural person. Recital 26 S. 1 GDPR states "The principles of data protection should apply to any information concerning an identified or identifiable natural person". Furthermore Recital 34 S 1 specifically states that sensitive personal data is data that exerts "risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage" .

Privacy by Design

One interesting piece of GDPR is the requirement for organisations to consider the Privacy by Design paradigm for systems architecture. This architecture takes a privacy first (privacy by default) approach to handing of personal data. Privacy by Design sets out 7 fundamental principles:

  1.    Proactive not reactive; Preventative not remedial
  2.    Privacy as the default setting
  3.    Privacy embedded into design
  4.    Full functionality � positive-sum, not zero-sum
  5.    End-to-end security � full lifecycle protection
  6.    Visibility and transparency � keep it open
  7.    Respect for user privacy � keep it user-centric

GDPR mentions encryption as an appropriate mechanism for protecting personal data. Under GDPR, appropriate encryption has the specific benefit of removing the requirement to notify data subjects (individuals) in the event of a data breach .

For more information on GDPR and how StratoKey can assist your organisation in readying for GDPR, download our GDPR Encryption Guide, found at