Don’t worry, I’m not going to go too deep into the technical and operational side of what encryption is but I do want to point out that the GDPR requires you to use it.
In the very early days, Julius Caesar used encryption. By sending secret notes he moved letters up 3 spots and the receiver knew to go back 3 spots for each letter to decrypt the message. Obviously, this was easily deciphered but thank goodness nowadays we have a more sophisticated way of encrypting that is a lot more difficult to decrypt. And since this is a nutshell, this is about as in-depth as I’m going to go in this blog.
The GDPR requires you to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia the pseudonymization and encryption of personal data. The GDPR also says, that when deciding on the appropriate measures you can take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
If you’re a freelance or organization using a computer / laptop with Windows Pro, keep it up. If you’re still on Windows Home you’re not GDPR compliant. Beware!
When it comes to encryption on Windows Home edition and Pro edition here are two major features that are only on the Pro version that you must have (at a minimum) for adequate protection of personal data:
Windows Home Edition: € 145 (including VAT)
Windows Pro Edition € 259 (including VAT)
In the even of a data breach (see yesterday’s post) the Data Authority will always look to what appropriate measures you have taken to secure the data. Since the prices mentioned above are doable, you’ll need a very good excuse not to have the Pro edition. And then still I don’t think that excuses will work. The “I don’t have it in my budget” won’t fly, because if you’re running a business and you’re processing personal data you are legally required to protect that data.
In tomorrow’s blog I’ll talk about the fines and how it works. And I’ll also talk about what criteria the Data Authority takes into account when deciding on fines and the amount of the fines. Not having appropriate measures in place is a major no no. And we’ve all heard the stories about people who leave laptops and USB sticks laying around or forget them on the train. I bet they also never thought it would happen to them. But, as I’ll go into more detail in tomorrows blog, not having adequate protection also could mean that you are not insured and therefore the fine must come out of your own pocket. If you don’t have it now? Don’t worry, you’ve got things to sell and a lifetime to pay it off…
CPRM offers GDPR Quick Scans and Risk Quick Scans to help you decide what measures you should have in place and make an inventory of what you have (to prove your accountability).