GDPR Encryption

Answer:

The EU GDPR is quite broad when it comes to security of processing. It uses terms like ”appropriate” or “adequate” to refer to the safeguards that must be in place to protect personal data. The reason behind is that usually pieces of legislation are meant to be in force for a long period of time and remain unchanged as much as possible to ensure a stable legal environment. Referring to specific security measures would mean that the GDPR should undergo permanent changes and put unnecessary burden on the entities which must comply with it. Thus, the law maker actually leaves the controllers and processors to choose what security measures should be in place and only refers to as examples to “pseudonymisation” and “encryption” as examples (art.32(1)a EU GDPR).

To put it bluntly, as long as they are lawful, any security measures can be used to protect personal data, what matters is that you are able to ensure “confidentiality, integrity, availability and resilience “.

In our EU GDPR implementation toolkit https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/ there is a dedicated folder ( 8. Security of Personal Data) which contain various policies and procedures that you might find useful.

You may as well turn to ISO 27001 which is a very good framework for data security, and check out our article “Does ISO 27001 implementation satisfy EU GDPR requirements?” that you may find at https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/