Encryption (1/2) - The role of encryption under GDPR: solving the confusion

by Ivana Butorac - Data Protection Expert
| minutes read

Encryption is a well-known and effective security measure applied by IT professionals all over the world to ensure that personal data is not subject to unauthorised access or disclosure. However, since the adoption of the EU General Data Protection Regulation (GDPR) in May 2018, encryption can also be perceived as a multi-layered legal concept that leverages data protection and privacy. Let us first solve some of the confusion surrounding this concept, before we consider its implications for your security strategy.

For GDPR to apply, it is necessary that it concerns personal data. This means the data needs to relate to a natural person and to directly or indirectly identify a person. To understand the relation between the GDPR and encryption, let's also take into account how encryption works. As a mathematical method, it transforms readable data (plaintext) into a set of unreadable characters (ciphertext), protecting that data from those who are unauthorised to access it. This evidently raises the question of whether encrypted data can be considered as personal data.

Encrypted data is personal data

It has been argued that encrypted data should be treated as anonymous data and, as such, excluded from GDPR, since it does not allow a person to be identified without the possession and use of a decryption key. Others have claimed that it would be personal data only to those who actually possess such a key, since they alone can see the information in its original – that is: readable - format. So, they alone are able to identify the person to whom the data relates to.

These mixed opinions have led to some debate in the legal world. But as this legal issue has also been resolved now, we can finally shed some light on the matter and confirm that encrypted data is also to be regarded as personal data. And that it is to be treated as such too. The reasoning behind that legal conclusion is that encrypted data, though masked, can still be reversed back to its original form and therefore lead to the identification of a person.

This criterion of identifiability, in a legal context, was developed by the Court of Justice of the EU (CJEU) in the Breyer case. The Court has stated that, if there is a possibility of an external or internal threat or vulnerability, to obtain a decryption key, decode the data and be able to even indirectly identify a person is sufficient for GDPR to apply. Consequently, your organisation must take into account that dealing with encrypted data puts it within the scope of GDPR.

Impact beyond security: from data protection to human rights

Encryption is primarily to be understood as a security measure. However, its impact goes way beyond security. It plays an important part, for instance, in the interconnection of security, privacy, and data protection, which it helps to drive. And given its functionality, it shouldn’t really come as a surprise that encryption itself has been recognised as a powerful data protection measure under GDPR.

There are diverse types of encryption, from symmetric to asymmetric, just as there is a wide variety of cryptographic applications. You can deploy encryption on your devices, networks, storage drives, or simply on your data itself. In other words: encryption allows you to control the authorised access to your data and keep that data protected from malicious attacks and other exploitations (such as espionage, surveillance, or unlawful interference of communication) while it is transmitted and processed as well as stored.

Encryption not only protects your IT systems and networks against activities that could compromise the confidentiality of your data or services, it also guarantees your fundamental human rights, such as the right to a private life and private communication. What’s more, by converting our data to an intelligible form, it protects other freedoms as well, such as the right to freedom of expression, information, and opinion. And it allows individuals to live in a safe environment, protected from political and religious persecution.

Combining technical and legal expertise

This is where combining a legal with a technical skillset becomes crucial to the success of your organisation in deploying encryption measures. As a business, to be able to guarantee the secure processing of your data, you will want an end-to-end integrator to design you a tailor-made solution. Above all, however, you will want that integrator to be fully committed to building you a trusted, safer, and more resilient cyberspace by combining technical and legal expertise.

 

Search

cloud

cybersecurity

data

Related content

Related contents

Cloud First Strategy: how Sopra Steria is supporting Veolia's digital transformation

The global leader in optimised resource management (water, energy, waste management, etc.), Veolia began its Digital Transformation in 2015, by modernising its workstations and digitisating its service offers.

Related contents

7 key strategies to transform applications with the Cloud

How to modernise an application efficiently using the Cloud?

Related contents

HoloCare is one of the #EUvsVirus Hackathon winners with its solution for a digital doctor-patient relationship

Sopra Steria is proud to announce that HoloCare won the #EUvsVirus Hackathon efficient remote working challenge. Read more.

More on this topic

Sustainable Digital: It is time for ICT to embrace environmental practices!

| Béatrice Rollet, Florent Brodziak, Håkon Eriksen Drange

If sustainability falls under Environmental, Social, and Governance (ESG) initiatives, Digital and IT organisations can actively contribute to the GHG emissions reduction tracked through the Scope 1, 2 and 3 emissions. 

Encryption (1/2) - The role of encryption under GDPR: solving the confusion

| Ivana Butorac

Encryption is a well-known and effective security measure applied by IT professionals all over the world to ensure that personal data is not subject to unauthorised access or disclosure. However, since the adoption of the EU General Data Protection Regulation (GDPR) in May 2018, encryption can also be perceived as a multi-layered legal concept that leverages data protection and privacy. 

Putting Ethics at the Heart of AI in Cyber

| Kevin Macnish

The application of Artificial Intelligence to Cybersecurity has become the next frontier of technology and capability development.  AI in Cyber will provide decisive advantage. However, this does not come without risks or concerns. 

Sopra Steria: a key company in innovative ecosystems

"In our open and connected world, no player can claim they have full control of the value chain including innovation. Innovations emerge every day from all digital players, whether they are large companies, start-ups, private and public research laboratories or competitive clusters.” Jean-Bernard Rampini, Executive Innovation & Corporate Venture at Sopra Steria

Supply Chain Management in Aerospace: maximising agility with AI-based risk monitoring

| Benoit Spolidor, Maxime Claisse

One of the main challenges of today’s Aerospace Supply Chain Practitioners is to manage their operations in such a complex and volatile environment. The Supply Chain purpose of fulfilling customer service promise while controlling costs within the overall industrial chain has become harder, in particular because Aerospace manufacturers are facing a lack of visibility in their supply and delivery processes.

How can Artificial Intelligence support the performances of Aerospace Supply Chain?

| Benoit Spolidor, Maxime Claisse

Artificial Intelligence is having a positive impact on almost every industry. It improves decision making processes, creating fast and consistent operations management. In the specific field of Aerospace, our conviction is that to be fully efficient, AI must be developed with dedicated characterics. Sopra Steria invests on these features for sustainable and large scale transformation by AI for Aerospace companies.

Remote experts help technicians on-site

| Torbjørn Meland

New technology helps maintain production and increase productivity at operating facilities by reducing the need to send technical experts between factories. By using HoloLens 2, Microsoft Teams, Intune and Dynamics 365 combined with a design-drive process, you can get a solution that gives on-site technicians support and help from remote experts.

AI lead Software Engineering: Sopra Steria Ecosystem Offerings

| Jérôme Perdriaud, Satish Srivastava

Apart from internally developed IP’s given in the previous edition we also have an ecosystem of mature market leading companies, start-ups as well as labs and universities to build competency in their offerings and use them to help our clients. Following are some of the offerings from the ecosystem.

AI led Software Engineering: Sopra Steria Offerings

| Jérôme Perdriaud, Satish Srivastava

Sopra Steria has been investing in AI led software engineering in order to help our clients not only reduce cost and gain efficiency but also empower their businesses by making the processes more responsive and scalable.

AI led Software Engineering Use cases: Application to Testing, Deployment & Operations

| Jérôme Perdriaud, Satish Srivastava

In the previous edition of the series, we have seen how AI transforms the software engineering lifecycle, specifically Management, Requirements, design and development phases. In this edition we will see how subsequent Testing, Deployment and Operations activities are affected by AI.

AI led Software Engineering Use Cases: Application to Development

| Jérôme Perdriaud, Satish Srivastava

In the previous edition of the series, we have seen how AI transforms the software engineering lifecycle, specifically Management, Requirements gathering, Design phases. In this edition we will see how software development activities are affected by AI.

AI led Software Engineering Use Cases: Application to Requirements & Design

| Jérôme Perdriaud, Satish Srivastava

In the previous edition of the series, we have seen how AI transforms the software engineering lifecycle, specifically Management phases. In this edition we will see how Requirement engineering is affected by AI.

Innovating in Pursuit of Climate Action and Environmental Sustainability

| Avinash Lunj, Siva Niranjan

From reducing carbon footprint to improving energy efficiency, the surge of sustainable business continues to increase in prominence. To attract new business, talent and investment, companies are required to demonstrate, that they are putting their climate change strategies into action.

Digital Innovation Factory (3/3): Which technical platform select and how operate it over the time?

| Béatrice Rollet, Simon Herd

As seen previously, digital experience and platform offerings call for a massive amount of software with frequent new services, and regularly updated and deleted new features. Long-established companies adopting an Enterprise Platform model must then own a new Digital Innovation Factory encompassing a Technical Platform.

Digital Innovation Factory (2/3): How to reshape your software development activities at the era of cloud-native application?

| Béatrice Rollet, Neil Anderson

60% of backend developers use containers in their work. Relying on cloud-native technologies, defining as modern applications packaged in containers, deployed as micro-services, running on elastic infrastructure, and managed through agile DevSecOps processes fits very well with large enterprise who very often encompass a wide variety of software technologies.

Digital Innovation Factory (1/3): The Enterprise Platform and the CIO at the age of the new normal

| Béatrice Rollet, Marlon Bromfield

Covid-19 pandemic has showed that the most digitalized companies, the digital-first companies, were the un-constable winner of this challenging period. Providing business activities through advanced digital experiences or platform offerings, these companies has kept their customers and partners engaged and happy in this challenging period.

AI led Software Engineering Use Cases: Application to Project Management activities

| Jérôme Perdriaud, Satish Srivastava

Using various AI techniques such as machine learning, deep learning, natural language processing (NLP), information visualization etc it is possible to guide the software engineering professionals with AI enabled decision making and automations. 

AI led Software Engineering

| Jérôme Perdriaud, Satish Srivastava

CIOs are expected to partner business, and at times leads, the delivery of digital transformation. The existing IT landscape of a company needs to be rationalized and modernized to be able to achieve the expected business velocity.

How to protect IT systems into the Cloud?

| Pierrick Conord

The World Economic Forum ranks cybersecurity threats as one of the major risks to our geopolitical organisation. As the risks increase year on year, it is becoming urgent to guarantee the protection of sensitive data, from proprietary network infrastructures to Cloud access providers.

Conversational Assistants: go to scale

| Patrick Meyer

74% of French companies consider chatbots as a lever for digital transformation and more than a third have already deployed one. By 2020, 80% of them could use a chat assistant. A massive deployment that echoes consumer habits: 69% prefer the bot to a human exchange.

How can you use your IT assets to achieve digital transformation?

| Andre Bakland, Simon Herd, Béatrice Rollet

According to Gartner, for every dollar invested in digitalisation in 2020, three dollars will have to be invested in the modernisation of IT assets. Therefore, opting for the right evolution strategy becomes a crucial issue. Read more.

How Data Science can help in a pandemic situation?

| Marlon Cárdenas

With the aim of covering current and future needs of society, Data Science and Artificial Intelligence are seeking to drive the creation of technological solutions that benefit users in their daily lives. Many disciplines are uniting behind this cause, with health sciences to the fore, especially given the current context of the battle against the Covid-19 pandemic.

How holographic technology is helping doctors deliver better care

| Scott Leaman

Long gone are the days when holograms were the stuff of sci-fi movies and video games. Holographic technology is taking the medical world by storm, and by the looks of it, it’s here to stay. So how exactly is this technology helping doctors, and what are the major developments that we expect in the near future?

How will artificial intelligence transform industry?

| Maxime Claisse, Alexis Girin, Benoit Spolidor

Whilst there is no set definition of artificial intelligence as of yet, experts are in agreement that AI can simulate human cognitive capabilities such as perception, reasoning, action, and learning. AI now promises to completely transform the industrial sector – one of its primary applications.

International Paris Air Show: 5 trends to transform aeronautic

| Youssoupha Diop

The 53rd International Paris Air Show 2019 has confirmed the mounting fierce competition in the world of aeronautics. In this context, data, digital tools and artificial intelligence are now understood to be precious bargaining chips to accelerate transformation and turn these challenges into opportunities.

Anticipate cloud migration with FinOps

| Marlène Seif, Béatrice Rollet

Innovative and fast cloud services are crucial to digital transformation initiatives. Whilst there is no textbook model on how to adopt these services, it is nonetheless vital for companies to integrate them as fully optimised services in order to control their ROI.

From product to services: Flying the Aeronautics Industry into the Digital Future

| Philippe Armandon, Gaudérique Garrigue

With increasing travel demand and new competitors entering the market, aircraft manufacturers today are under considerable pressure.

How to control and optimise your cloud costs

| Didier Teixeira, Béatrice Rollet, Frédéric Janicot

Using public cloud services means rethinking your IT financial management. 

ASD S5000F: taking Aircraft MRO to new heights?

| Cyrille Greffe

In the 1990s, the combination of computer-aided design (CAD) and the concept of modular documentation gave rise to the first ASD standards (AeroSpace and Defence Industries Association of Europe).

Application replatforming: the Cloud migration booster

| Benjamin Chossat

Simple set-up, low cost and access to the horizontal elasticity of the Cloud: replatforming is often considered the best solution for porting a business application to the Cloud.

7 key strategies to transform applications with the Cloud

| Benjamin Chossat

How to modernise an application efficiently using the Cloud?

Innovating in pursuit of environmental sustainability

| Siva Niranjan

To attract new business, talent and investment, companies have had to demonstrate their environmental credentials more and more over the past years to wide range of stakeholders including institutional investors, regulators, clients, and employees.

Urban Air Mobility: will the future of mobility be in the air?

| David Elmalem, Sébastien Lautier

While the dream of the flying car has often been reserved for science fiction, a very practical and real future is gradually emerging for urban air mobility.

Guidance is the key for adapting DevOps to big business

| Gauthier Deschamps

DevOps is revolutionising agile transformation for big business. The method was initially focussed on software building but by automating production, it frees up resources so as to better resolve organisational and human malfunctions.

How Blockchain technology can improve Industry 4.0’s cybersecurity

Earlier this year, the world’s largest container shipping company Maersk fell victim to a massive ransomware attack from the infamous NotPetya malware.