GDPR Requires the Utmost Protection of PII/PHI...is Encryption Required? What Else Can We Do Since Encryption May Take Take Too Long Starting Now?

1. Is Encryption the ONLY
Key to
G.D.P.R.
Joe Orlando 1

2. OBJECTIVE: Secure the Data
Secure the Personal
Identifiable Information (PII)
& Personal Health
Information (PHI) to
Prevent Unauthorized
Access and, in the event of
unauthorized access …
the data they get is
unintelligible.

3. GDPR requires businesses to implement “technical and organizational
measures to provide appropriate protection to the personal data they
hold.”
GDPR expressly states that such measures include:
1. The pseudonymization and encryption of personal data
2. Measures to ensure resilience of systems and services
processing data
3. Measures that allow businesses to restore the availability
and access to the data in the event of a breach
4. Frequent testing of the effectiveness of the security
measures
12/18/2017 3

4. Of the 261 pages of GDPR, “encryption” appears
• "...implement measures to mitigate those
risks, such as encryption." (P51. (83))
• "...appropriate safeguards, which may
include encryption" (P121 (4.e))
• "...including inter alia as appropriate: (a) the
pseudonymisation and encryption of personal
data." (P160 (1a))
• "...unintelligible to any person who is not
authorised to access it, such as encryption"
(P163 (3a))
12/18/2017 4

5. Beyond a “suggestion…”
GDPR includes a definition of “pseudonymisation”. According
to Article 4 No. 5 GDPR, pseudonymisation:
• “means the processing of personal data in such a manner
that the personal data can no longer be attributed to a
specific data subject without the use of additional
information, provided that such additional information is
kept separately and is subject to technical and
organisational measures to ensure that the personal data
are not attributed to an identified or identifiable natural
person”.
• pseudonymisation shall, like encryption, be one of the
“appropriate safeguards” of Article 6 Par. 4 (e) GDPR.

6. GDPR Recital 83
(83) In order to maintain security and to prevent processing
in infringement of this Regulation, the controller or
processor should evaluate the risks inherent in the
processing and implement measures to mitigate those
risks, such as encryption.
Those measures should ensure an appropriate level of
security, including confidentiality, taking into account the
state of the art and the costs of implementation in relation
to the risks and the nature of the personal data to be
protected.

7. Article 6 Paragraph 4
According to the compatibility test of Article 6 Par. 4 GDPR, account
should be taken inter alia of the possible consequences of the intended
further processing for data subjects. Since anonymisation,
pseudonymisation and encryption are privacy preserving
technologies [106] , in most cases applying these tools on the data
subject’s personal data will be in their interest.
Personal Data and Encryption in the European General Data Protection Regulation
Prof. Dr. Gerald Spindler
Philipp Schmechel

8. • The European Data Protection Supervisor has
gone as far to say that the use of end-to-end
encryption should be encouraged and when
necessary, mandated, in accordance with the
principle of data protection by design.
• This support for encryption has also been
echoed by the EU Article 29 Working Party,
which has stated that it would welcome new
obligations to use algorithms and standards
that have proven to be secure, to respect the
confidentiality of encrypted communications
and to prohibit the decryption, reverse
engineering or other monitoring of those
communications protected by encryption.
Things to Consider…

9. Encryption = Pseudymisation
When encrypting personal data, in accordance with Article 4 No. 5 GDPR, the encryption
key is the “additional information” which is “kept separately” and “subject to technical
and organizational measures”.
Hence safety measures such as a secure key management and the respective encryption
method used by the controller have to be used “to ensure that the personal data are not
attributed to an identified or identifiable natural person”. Therefore, because of its
existing assignment rule encryption is an example of pseudonymisation.
Personal Data and Encryption in the European General Data Protection Regulation
Prof. Dr. Gerald Spindler
Philipp Schmechel

10. Regulatory “PASS” if Using Encryption
“…in case of a data breach, the
controller is not required to
communicate to the data
subject if he or she has
implemented encryption as a
technical and organisational
protection measure”
(Article 34 Par. 3 (a) GDPR).

11. Trending

12. TRENDING
According to Mozilla’s statistics, an
encryption milestone was met in early 2017
when the average volume of encrypted
traffic on the internet surpassed the
average volume of unencrypted traffic.

13. The legal obligations for
encryption of personal data in
Europe and Asia
Field Fisher Waterhouse
Is there a Focus on Encryption?

14. If PII is used in the test
environment, it is required to be
protected at the same level that it is
protected in the production
environment, which can add
significantly to the time and expense
of testing the system.
NIST
If you are simulating a live environment, how does the IT
department do that? The simple answer is that it grabs a
bunch of data (technically, a sample) from its production
database and runs that through the testing process. This
isn’t an issue if the application is concerned with stock
control but it is an issue if the application deals with
individuals, as in a consumer sales application or a
human resources application. In these cases, unless
you have formal consent from the people whose data
you are using, then simply sampling the production
system for test data is illegal: you are using the data
for purposes for which it was not provided and you
are making that information available to people not
authorized to see it.
Work Group 29
Things to Consider…

15. A major data point stands out in the 2017 DBIR report: the
percentage of hacking related breaches involving the misuse
of stolen or weak credentials has reached 81%, effectively
putting it front and center in terms of tactics being leveraged
by attackers. That is four out of five breaches. No other
attacker technique detailed by Verizon comes close to this
number. To add some perspective: last year Verizon reported
that 63% of breaches involved credential misuse. These
numbers only serve to solidify what experts in identity
security know to be true - credential misuse is an epidemic
and is rapidly getting worse. The technique is particularly
damaging to the finance and healthcare industries.
Things to Consider…

16. The likelihood of
data going OUT
from INSIDE is
greater than the
likelihood of data
being exfiltrated
from OUTSIDE
Things to Consider…

17. OPTIONS (Easy to Hardest) RISK to PII/ PHI EXPOSURE (High to Low)
SUBSET DATA COMING OUT OF PRODUCTION
ACCESS MANAGEMENT & MONITORING
FIELD PRESERVING DATA MASKING
DATA PSEUDONYMIZATION
FIELD/ROW/COLUMN
ENCRYPTION
FULL DISK
ENCRYPTION
Things to Consider…

18. Other Steps to Take…

19. There are options… where to start
 Subsetting Data used in Test/QA and Dev
 Data Minimization
 Pseudonymisation / Masking
 Rigid Roles Based Access Controls and Management
 Reduce Unauthorized Access to PII/PHI
 Automatic Logging and Monitoring of User Activities (Regular Testing)
 Lock Down Download and Mobile Media Ability
 Make “Data in Motion” and “At Rest” Unintelligible
 Format Preserving Encryption
 Field; Column; Row Encryption
 Encrypt Workstations (& Laptops) or
 Full Disk Encryption with Individual Workstation Keys
 Provide end to end encryption (in motion and at rest)
12/18/2017 19

20. Some First Steps…
 Reduce the number of Access Points (Minimize User and
Authorized Access)
 Segregate, As Much As Possible, the Production Users –
Testers - Developers and QA Users
 Ensure Secure Data Transmission
 Rigidly Restrict Access by Well Defined Role/Authorization
 Prevent Data Download to Portable Media
 Ensure Comprehensive Training on Handling PII/PHI as
Part of Employee Code of Ethics
 Reduce # of people who are “authorized to see” Sensitive
Data (PII/PHI)
12/18/2017 20

21. Some First Steps…
 Minimize; Pseudonymise; Mask Data as Much as
Viable
 Ensure Data Secured “At Rest” and “In Motion”
 Rigidly Restrict Access by Well Defined
Role/Authorization
 Implement End Point Security (DLP)
 Deliberately Reduce Potential Attack Surfaces
(Vulnerabilities) that Potentially Expose PII/PHI
 Administer Regular Test & Audits on Internal and 3rd
Party “Data Privacy by Design and Default”
Procedures, Policies and Protocols
12/18/2017 21

22. OPTIONS (not mutually exclusive)
Data At Rest
• Pseudonymisation and
Masking
• Rigid Roles Based
Access Controls and
Management
• Encrypt Workstations
(& Laptops) to Prevent
Download and Export
Data In Motion
• Safe or Encrypted
Transfer (SFTP
(connection); encrypt
the data)
• TLS Tunnel and/or ZIX
for mail transport
Data In Use
• Data Minimization
• Data Subsetting
• Rigid Roles Based
Access Controls and
Management
• Pseudonymisation and
Masking
• Format Preserving
Encryption
• Field; Column;
Row Encryption

23. Options: Specific Ideas
Data At Rest
• File Share
• BitLocker
• USB/Media Lock
down
• DLP Policies
• Restricted Access to
Db
Data In Motion
• CASB
• DLP
• Network Protocols
• ACLS
• VPN
• Firewall
Data In Use
• Rigid User Access
Rules and Regular
Reviews
• Proactive User
Lifecycle
Management
• Multi Factor
Authentication

24. Thank you,
any questions?...

25. Appendix