Encryption is the Get-Out-Of-Jail-Free Card for GDPR and CCPA

The General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) introduced a higher bar than ever before for data protection, in all industries. It applies to any company that comes in contact with any form of European personal data.  Article 32 of the GDPR, covering the security of processing recommends the use of encryption for personal data. In fact, encryption is increasingly recognized as the “get out of jail free card”, because GDPR does not require you to report a data breach if it involves data that was encrypted, giving companies a powerful incentive to re-think their company-wide encryption strategy.

But encryption comes in many forms with different pros and cons. Below we examine some options for GDPR encryption of data in transit (information that is being sent from one location to another).

TLS

For email, TLS is the simplest of all the GDPR encryption options. TLS protects the email as it is transmitted between two email servers. This protection is at the transport level, not at the message level (the communication channel is encrypted not any particular messages). This is very simple to setup. In email systems, such as Microsoft Exchange, the setup is generally as easy as checking the TLS encryption checkbox on the sending and receiving Exchange connectors. Within an organization this is very easy to enable. In a B2B scenario, the two organizations must cooperate to exchange TLS trust.

With TLS the message is encrypted and protected while in transit, but once the message arrives at the local email system it is not encrypted. So the information is subject to exposure and leakage within the organization. As well, when email is sent between two organizations that have not enabled a TLS trust, the content will not be protected and encrypted. So in summary TLS is very simple, but generally does not provide a high level of compliance for GDPR encryption.

S/MIME

Another solution for GDPR encryption of email is S/MIME. S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of MIME data. S/MIME is an IETF standard defined in a number of documents. S/MIME provides both data security via encryption and non-repudiation of origin using digital signatures. Before S/MIME can be used in any of the above applications, all users must obtain and install an individual key/certificate either from an in-house certificate authority (CA) or from a public CA. S/MIME provides protection at the message level so is much more secure than TLS. With S/MIME, the message is encrypted on the sender’s desktop and un-encrypted on the recipients desktop.

S/MIME protects the message while it is in transit, while it is stored on the email server and within the user’s email application (such as Microsoft Outlook). So between the sender and recipient the message is very secure. But once the message is un-encrypted the protection does not persist. S/MIME does not include any concept of email permissions, so once the recipient has un-encrypted a message they can do anything they want with the message including printing, and forwarding the message to others (without encryption).

Using S/MIME for GDPR encryption has one major disadvantage, it is very difficult to setup. Within an organization it requires the installation of a Certificate Authority and everyone must have a certificate from the CA or S/MIME will not work. Because B2B or B2C scenarios would require authenticating and enrolling outside users in an organizations CA, S/MIME is generally not useful in these scenarios.

Digital Rights Management

Digital Rights Management is form of encryption and access control that is embedded directly within the data itself. DRM takes GDPR encryption compliance to a new level by enforcing the persistent protection of both files and email. For example, even though a user may have rights to open DRM-protected email, it does not mean the email can be forwarded and read by others. With DRM, the protection is persistent. To open a file the recipient must have the proper permissions. 

DRM takes S/MIME a step further in that it allows for permissions to be assigned to protected content. So the owner of the content can specify permissions such as Open, Edit, Forward, Reply, Print & Copy to the protected content.

DRM encryption can be enforced automatically based on data classification or DLP rules. For example, any time a piece of data is classified as “Confidential”, it could be encrypted automatically, without the user’s involvement, using permissions outlined in the enterprise’s “Confidential” data policy. This automatic configuration closely matches GDPR’s requirements for privacy by design and privacy by default.

With GDPR, company controllers will be required to implement appropriate measures to demonstrate that data processing is performed in accordance with the GDPR.  Information Rights Management products make it easy to comply with this requirement, as most DRM products are able to track and report on the protection and use of data, even when it leaks outside the corporate perimeter.

Finally, one of the big advantages of Digital Rights Management is that it works well in the new cloud and mobile world, so you can be assured that your content is persistently protected even though it is outside the bounds of your firewall. Protection of the data when sharing with partners (B2B) and with customers (B2C) can also be enabled. Protection of data shared with customers in B2C in particular helps enforce the GDPR “right to be forgotten”, as IRM allows an organization to delete or revoke access to personal data as needed, even when data has been published and shared outside the organization.

Good luck in your search for a GDPR and CCPA encryption solution.