Encrypt everything to meet GDPR requirements

Johannesburg, 30 Oct 2018

One technology that could help organisations meet the stringent requirements of the new General Data Protection Regulation (GDPR) is encryption.

ITWeb GDPR Update 2018

Book your seat today to attend the inaugural ITWeb GDPR Update 2018 in Johannesburg, on 7 November. Experts from across SA businesses will be presenting in mini-workshop format during the one-day, multi-speaker conference. Also on offer is a half-day workshop, presented by Peter Hill, IT Governance Network, and a two-day training course, covering GDPR compliancy: dataflow management with regards to an integrated IT solution. To find out more, go to: http://v2.itweb.co.za/event/itweb/gdpr-update-2018/

In fact, the regulation identifies encryption as a key technology to reduce data security risks, calling for encryption to protect data and achieve pseudonymisation of personal data no less than 19 times, says Cas Liddle, senior sales engineer at Thales.

Liddle will be presenting on 'Utilising the benefits of encryption for GDPR', at ITWeb's GDPR Update 2018, to be held on 7 November at The Forum in Bryanston.

"While businesses are concerned about hackers and malware stealing data, they allow unprecedented levels of data access to system administrators, database administrators, developers and application users, with no concern they might purposely stealing the data, or inadvertently share it," he notes.

Pseudonymisation

Liddle says encryption and pseudonymisation could help solve the problem.

The GDPR defines pseudonymisation as "the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information."

With pseudonymisation, Liddle says personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. A single pseudonym for each replaced field or collection of replaced fields makes the data record less identifiable while remaining suitable for data analysis and data processing.

For example, system administrators do not need to read the contents of data files such as a purchase order, they only administer the systems that houses the data and grants access. The contents of a file could be encrypted so the system administrator can't see it.

Database administrators do not need to see data such as ID numbers in a database in order to administer said database. These sensitive fields could be encrypted.

Similarly, developers do not need to see real samples of the data in order to test the application they are developing, they only need to see a pseudonymised version of the data for application testing.

Natural defences

Data has no natural defences, it can't defend itself, says Liddle.

"Data relies on other security mechanisms to protect it. However, at some point, data is exposed even with these security mechanisms in place. All we can do is minimise the data's risk exposure by controlling who the data is exposed to as well as the time frame of the exposure and location.

"By having an 'encrypt everything' strategy, [you make sure that] the data, no matter where it resides or travels, is able to defend itself," he concludes.