EU - GDPR
Encryption of personal data
Encryption of personal data is both a common and good technical security measure to take in order to protect personal data. A company may not only use encryption in connection with the storage of personal data, since it can be useful to use encryption when transferring personal data as well.
What encryption means
In short, encryption means that it converts readable data into a form of distorted text. Such distorted text can then only be decoded through a secret key that makes the text readable again. For example, the secret key may consist of a number combination created on the device the encryption is sent from, as well as on the device the encrypted message is sent to.
Encryption of personal data is a good technical measure to take
When a mathematical function together with an encryption key converts the data so that it becomes readable, it constitutes an encryption. In other words, the encrypted data is not readable if you only have the encryption key or function.
It is good if the company uses encryption as a technical security measure when the company sends personal data over open networks, such as the internet. An example of this is sending encrypted emails.
Salary specifications with sensitive personal data
It is common for payslips to contain information about the employee’s sick leave, which is an indication of health and thus a sensitive personal data according to GDPR. If the payslip contains information about sick leave, it is not allowed to email the payslip to employees, unless the message is encrypted. Before the GDPR came into force in 2018, it was common for employers to email such payslips unencrypted, but it’s no longer allowed because it’s not secure enough.
Companies should protect personal data from unauthorized access
A company must protect personal data from unauthorised access because it constitutes a personal data breach. Just because a company may process personal data, it does not mean that it is necessary for everyone at the company to have access to them. In such cases, it may be useful to use encryption keys, so that only those employees who will and have a need to access personal data, receive it.
Tips for Encrypting Personal Data
Needs analysis
By conducting a needs analysis, the company can find out, for example, which personal data and in which situations encryption is appropriate. It is also useful to analyze which form of encryption services are appropriate in the case, such as, for example, a cloud service.
Documentation
The company should document the entire analysis as it is a way to demonstrate that the company complies with the GDPR in accordance with the principle of accountability. This is especially important if the personal data is particularly worthy of protection, such as privacy-sensitive personal data.
Instructions
It is important that those who receive an encryption key also know how to use it, what they are allowed to do with the personal data, etc. Therefore, it is good to draw up written instructions to employees about encryption and encrypted data.
Security
Make sure the encryption service is secure enough by doing a proper research. It is good to use an encryption service that is widely recognized. In addition, it is important to protect the encryption keys so that no unauthorized person can access them.
End to end encryption
End-to-end encryption means that the personal data is transferred encrypted all the way to the recipient from the sender. This is particularly important when the personal data is classified as sensitive pursuant to Article 9 of the GDPR. However, it can be good to do even if it relates to privacy-sensitive personal data.
More information about GDPR
Network segmentation
One way to protect personal data from unauthorized access is through network segmentation. In other words, to divide computer networks into several sub-networks, so that only what is necessary is present in that segment. Simply put, this means that, for example, systems or servers that do not need to communicate with each other, do not.