The Stack Archive Feature

Why encryption is a critical step towards GDPR compliance

Wed 10 May 2017 | Joe Pindar


Joe Pindar, director of product strategy at Gemalto’s Chief Technology Office, discusses why encryption measures are growing in importance for today’s businesses…

Last year, the UK suffered more data breaches than any previous year. In 2016, 54,468,603 records were compromised – a 475% increase over the 9,478,730 compromised in 2015. These events have helped raise awareness around the potential risks to our data and businesses are now realising the criticality of implementing effective security solutions.

Encryption is starting to gain particular prominence because of its ability to render breached data useless to anyone that is not authorised to access it.

When considering encryption, businesses must first understand what data they produce and which data is most valuable or sensitive, through conducting a data sweep. Only by understanding what data they have can businesses then seek to encrypt and protect it.

The key to businesses maintaining control over their encrypted data in an ever-more hybrid environment is thoroughly planning encryption key management strategies.

Consumers believe the majority of responsibility lies with the business to protect their data and will blame them if something goes wrong

Encryption keys are essential to unlock secured data and provide fundamental control over who has access to certain data – making companies, and more importantly customers, the custodians of their own data. The best approach is to store encryption keys in specially designed hardware, to avoid them from being hacked. Otherwise, it is like fitting your house with the best security out there, and then leaving your key under the doormat for the burglar to find.

Assuming responsibility

Businesses are not just risking a financial hit if they do not implement and manage the protection of their data properly, but a reputational one too. Customers, more than ever before, are starting to understand the risks associated with sharing and hosting information online. It may not come as a big shock, but consumers believe the majority of responsibility lies with the business to protect their data and will blame them if something goes wrong. Companies need to take note of this, because if something does go wrong, customers are likely to go elsewhere.

With the upcoming General Data Protection Regulation (GDPR), the true cost of a breach is still to be felt across Europe as businesses are currently not forced to reveal when they have been breached. As such, they still mostly maintain customer loyalty. While businesses should know that it is a case of when, not if, a breach occurs, GDPR should serve as a wake-up call. To keep that loyalty, they must show they are actively working to protect their customer data using techniques like encryption.

Currently, there is limited incentive to prioritise security, and a lack of accountability for the business

Access management

Encryption itself is very effective, but if you do not protect it and the encryption keys that unlock it, then it can easily be cracked by unauthorised individuals. To protect against this, businesses should also focus on who is authorized to access valuable and sensitive data.

The best approach is to use two-factor authentication, which requires the employee to have something like a phone or access to an email address and to know a code or password that is constantly changing, rather than just a code or password that can be guessed. These types of security are readily available, but need to be more widely adopted by businesses.

Currently, there is limited incentive to prioritise security, and a lack of accountability for the business. Companies need to start taking security seriously and this means from the top down. GDPR is still to come into effect, but businesses need to start preparing now before it is too late and they are faced with a potential fine and damaged reputation.

Company boards should take a considered approach to security. It is not a question of the Chief Information Security Officer (CISO) saying no all the time, but rather implementing security protocols early so that it does not affect innovation and ensures the company adheres to the latest regulations.

Furthermore, by establishing a security mindset at the top of the company, it will filter down to the rest of the employees. Every business should know that its defence is only as secure as its weakest link.

Experts featured:

Joe Pindar

Director of Product Strategy


encryption EU feature legal privacy
Send us a correction about this article Send us a news tip