The EU GDPR makes data encryption and decryption two sides of the same coin in terms of data privacy rights.

The EU General Data Protection Regulation (GDPR) brings together two requirements for data privacy technologies that appear to be antithetical. On the one hand, the regulation requires businesses to protect personal data during its data processing activities, introducing end-to-end encryption as a viable method to achieve such protection, while on the other, it requires businesses to access personal data that may be encrypted, in order to comply with ‘Subject Access Requests’. A number of technical approaches can be used to address these equally important, and seemingly opposing, requirements under the GDPR.

The GDPR has introduced the ‘Subject Access Request’, which extends the privacy rights of EU citizens. Specifically, Article 15 of the EU GDPR provides that EU citizens (the ‘data subject’) have the right to receive confirmation that the organisation is processing their personal data, as well as the right to receive a copy of such data. Individuals have also the right to obtain a variety of supplementary information.

Article 32 of the GDPR provides that the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. The regulation considers encryption as one of the core techniques to protect personal data processing in enterprise. Encryption is a cryptographic method in which data is turned into an encoded and unintelligible version, using encryption algorithms and an encryption key. A decryption key or code enables others to decode it again.

End-to-end encryption has been considered by technologists as the means to protect data privacy of individuals and it has been central to the debate about data privacy and civil liberties. The GDPR introduces a new perspective, as it considers the ‘Subject Access Request’ an important addition to the data privacy rights of EU citizens. As a result, the GDPR now places an added requirement on businesses that have decided to adopt end-to-end encryption methods to protect personal data: that of being able to decrypt such data in case of a ‘Subject Access Request’. This is a fundamental change introduced by the EU GDPR that requires highlighting.

The technical challenge introduced by this regulation is best understood by looking at the example of messaging applications many of us currently use in our day-to-day business communication.  Many of the messaging applications we currently use for business communication come with end-to-end encryption. But, most of these applications are built in such a way that businesses cannot decrypt the data being processed by such technologies. This includes personal data that may be subject to the ‘Subject Access Request’, and therefore placing a requirement on the business to decrypt such data to provide them to the EU citizen in question.

This means that when a business is choosing an enterprise messaging application, it should consider those offering end-to-end encryption to ensure a strong level of security when undertaking personal data processing. At the same time, a business should consider messaging apps built specifically for enterprise, which allow the enterprise to decrypt the relevant personal data in case of a ‘Subject Access Request’. We are now starting to see a number of enterprise messaging applications on the market that can address and resolve these opposing technical requirements.

Some solutions take an approach of mobile device management (or MDM), where a business can remotely access an employee’s device. This allows for the most control, but also brings about a number of issues when considering the chain-of-custody of any evidence in legal disputes, or when applied to the growing trend of Bring-Your-Own-Device (BYOD), in which employees may be reluctant to give their employer such a wide-ranging access to their non-business information that may be processed by the same messaging application.

Another approach is one of key escrow, storing all the encryption and decryption keys used in business communication on the cloud, or on a dedicated machine managed by the business’ IT department. This solution is highly flexible, as it can be applied to almost any existing data processing system. But it also exposes the business to risk, as the mechanism for accessing the keys is not always clear.

Other enterprise messaging applications take the approach of a Key Management Server (KMS), where the keys are issued to users by an infrastructure managed by the business’ IT department. This ensures that the ability to decrypt content remains private to the individuals communicating. However, in exceptional cases (such as a ‘Subject Access Request’), it also allows the business to derive a valid decryption key from the Key Management Server. This approach appears to be the most promising, as far as addressing this requirement, and is now a rapidly growing market.

Whatever approach is taken to solve encryption and decryption requirements, it is important to remember that these ‘enterprise grade’ solutions are designed to address specific enterprise requirements, where businesses may need to be able to decrypt data in specific circumstances to comply with various regulatory frameworks. There are other ‘consumer grade’ messaging applications that are suitable for personal communication and built to meet data privacy requirements of individuals using these applications for personal communication.

 By Elisabetta Zaccaria, Chairman, Secure Chorus