Compliance

GDPR

Encrypting with Evervault reduces your GDPR compliance scope.


Overview

The General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation on data protection and privacy for all individuals within the European Union. It came into force across the European Union on May 25th 2018.

The GDPR regulation is widely regarded as one of the toughest Privacy regulations in the world, particularly given its fines for non-compliance (4% of global revenues or €20m, whichever is higher) and its implications across nearly all aspects of business, inside and outside Europe. Any organization is in scope for GDPR if they handle the personal data of an EU citizen.

The GDPR splits in-scope parties into two main groups: Data Processors and Data Controllers, each with corresponding responsibilities.

  • Data Controller: The person or entity which determines the purposes and means of the processing of personal data.

  • Data Processor: A third party that processes personal data on behalf of a data controller.

There are 7 primary principles relating to data handling which are defined by GDPR. Although we will focus on number 6, which is one of the most challenging to implement, the other elements also require a robust company-wide program in order to comply.

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

Integrity and Confidentiality (Security)

This Principle requires that data processing maintains appropriate security, integrity, and confidentiality.

To expand on this, let's explain what data comes under GDPR scope.

GDPR defines two categories of personal data based on their perceived risk and sensitivity (Article 9).

  • Personal Data
    • Name
    • Address
    • Date of Birth
    • Financial Information
    • Email Address
    • IP Address
  • Special Category Personal Data
    • Racial or Ethnic Origin
    • Political Opinions
    • Religious or Philiosophical Beliefs
    • Trade Union Membership
    • Genetic Data and Biometric Data
    • Health Data
    • Sex Life and Sexual Orientation Data

Special Category Data should always be secured with strong cryptography. GDPR considers robust encryption as an Appropriate Technical and organizational Measure.

Evervault Encryption can be used for Special Category information, while allowing processing of that in secure environments (using Functions or Enclaves). This allows Special Category Data to be processed in public clouds, while still preventing Cloud Service Providers or malicious individuals gaining access to the sensitive information.