Huge amounts of data are affected by data theft and unwanted disclosures every year. Cyber criminals usually target all types of data. Therefore, data must be protected against unauthorized access according to your protection needs, e.g. by encryption, because encryption not only protects against financial damage and deterioration of reputation, but is also provided for by Article 32 of the GDPR.
Learn what you need to know about privacy-compliant encryption here.
Encryption according to Art. 32 DSGVO
Article 32 of the GDPR requires data controllers to protect personal data in an appropriate manner. For this purpose, "appropriate technical and organizational measures" (TOMs) are to be taken "to ensure a level of protection appropriate to the risk". In considering whether a measure is appropriate, factors such as the state of the art, implementation costs are taken into account. In addition, the nature, scope, circumstances and purpose of the processing, as well as the varying likelihood and severity of the risk, all play a role.
As an appropriate technical and organizational measure, Art. 32 I lit. a DSGVO mentions encryption. Encryption protects stored information so that an unauthorized person cannot read it when accessing it. The aim is to ensure that potential attackers cannot at least use the captured data if all other protective measures fail.
If a data breach occurs in which the affected data is not encrypted, the incident is not only reportable, but can also result in high fines. This significantly damages the company's finances on the one hand and its public reputation and customer image on the other.
Tips for data protection in practice
Systems that are regularly located outside the company (for example, employee laptops for home offices or devices for field service) are particularly at risk of third-party access. Good data protection also takes into account employees and their human error. It is important to remember that Employees trained accordingly are, the protective measures are easy to implement for everyone and still provide an appropriate level of security. All security systems, including those besides encryption, should be regularly checked and maintained.
From an organizational perspective, it is important to consider which assets are allowed to leave the company at all and which assets can be accessed remotely, for example. IT crown jewels as the most important asset category are usually not allowed to leave the company or be available remotely.
There are both hardware and software solutions for the encryption itself. Particular attention should be paid here to secure key management. These solutions do not have to be expensive or complicated. Windows, for example, already offers an easy-to-use solution in the form of Bitlocker. If you are on the Internet or retrieve e-mails, this usually already works via transport encryption (TLS), which usually already happens automatically and if not, the programs such as browsers show a warning that warns of insecure data transfer.
A good crypto concept should not be missing from any data protection implementation or data protection management system.
If you need advice on data protection measures or help with their implementation, our team of experts will be happy to assist you.