Don’t worry, I’m not going to go too deep into the technical and operational side of what encryption is but I do want to point out that the GDPR requires you to use it.
Encryption in a nutshell
In the very early days, Julius Caesar used encryption. By sending secret notes he moved letters up 3 spots and the receiver knew to go back 3 spots for each letter to decrypt the message. Obviously, this was easily deciphered but thank goodness nowadays we have a more sophisticated way of encrypting that is a lot more difficult to decrypt. And since this is a nutshell, this is about as in-depth as I’m going to go in this blog.
What does the GDPR say about encrypting
The GDPR requires you to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia the pseudonymization and encryption of personal data. The GDPR also says, that when deciding on the appropriate measures you can take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
Do you use Windows from Microsoft? Here’s what you need to know
If you’re a freelance or organization using a computer / laptop with Windows Pro, keep it up. If you’re still on Windows Home you’re not GDPR compliant. Beware!
When it comes to encryption on Windows Home edition and Pro edition here are two major features that are only on the Pro version that you must have (at a minimum) for adequate protection of personal data:
- Bitlocker device encryption
If your device is lost or stolen, BitLocker and BitLocker To Go put everything on lockdown, so no one else can access your systems or data.
- Windows Information Protection (WIP)
WIP helps to protect against potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leaks on enterprise-owned devices and personal devices that employees bring to work, without requiring changes to your environment or other apps.
Pricing in Euro’s
Windows Home Edition: € 145 (including VAT)
Windows Pro Edition € 259 (including VAT)
Upgrade. That’s the least you can do.
In the even of a data breach (see yesterday’s post) the Data Authority will always look to what appropriate measures you have taken to secure the data. Since the prices mentioned above are doable, you’ll need a very good excuse not to have the Pro edition. And then still I don’t think that excuses will work. The “I don’t have it in my budget” won’t fly, because if you’re running a business and you’re processing personal data you are legally required to protect that data.
Tomorrow’s blog: F is for Fines
In tomorrow’s blog I’ll talk about the fines and how it works. And I’ll also talk about what criteria the Data Authority takes into account when deciding on fines and the amount of the fines. Not having appropriate measures in place is a major no no. And we’ve all heard the stories about people who leave laptops and USB sticks laying around or forget them on the train. I bet they also never thought it would happen to them. But, as I’ll go into more detail in tomorrows blog, not having adequate protection also could mean that you are not insured and therefore the fine must come out of your own pocket. If you don’t have it now? Don’t worry, you’ve got things to sell and a lifetime to pay it off…
Would you like to know more about appropriate technical and organizational measures? Do a Quick Scan!
CPRM offers GDPR Quick Scans and Risk Quick Scans to help you decide what measures you should have in place and make an inventory of what you have (to prove your accountability).
Would you like to learn more about all these topics? Sign up now for the 60 Day Privacy & Risk Challenge!