Questions and Answers
I am a Church Warden for a local parish church and it seems that some of the requirements of the EU GDPR conflict with the rules of the church. Can you offer me some guidance please?
There are times when church doctrine seems to contradict the requirements of GDPR. This is not the first time UK or European law may have been at odds with internal church rules. Most of these contradictions will be eased by other aspects of the legislation.
For example, the Right to Erasure does not mean that an individual can ask for details of their previous marriage or baptism to be erased from the Parish Register. These details form part of the historical archives of the church, and so there is a legitimate reason to keep them. However, the Right to Object means that the individual could ask the church not to publicly display their personal information.
Another example could be that someone reveals details of another individual’s life during a counselling session with their clergy. The clergy makes notes. The named individual could not ask to be shown these notes under the Right to Access, due to the pastor’s obligation to maintain the first person’s privacy.
The GDPR does state in Chapter IX that member states can apply derogations for, amongst other things, churches. Our conversations with the ICO have led us to believe that if there is no provision in that bill, then none should be expected. However, the Bill is not finalised until it becomes an Act (currently expected on 25th May, the same day as GDPR).
For more information, see Article 23 and Chapter IX of the GDPR, or the ICO’s explanation here.
Do I have to encrypt my data under the GDPR?
What is data encryption?
Encryption is a technique of ensuring confidentiality by encoding data such that it cannot be read by anyone not authorised to do so. Even if an information system is breached and data stolen, the data would prove worthless to a criminal that lacked the keys to unlock the encryption – or the processing power to force the lock by trying every combination of possible codes.
I was asked during a recent GDPR awareness conference whether I thought that encryption was required by the EU GDPR. I work for a business that does not offer encryption products so I don’t have a vested interest in the answer.
My gut instinct, and my answer was “Yes.” However, I think the question and my initial answer deserves more explanation.
Which areas of my business do I encrypt?
Encryption is a broad technical area that covers data at rest, data in motion, and can exist in many different places of an information system. These include volume encryption, database encryption, application encryption, and network encryption. Some of these are not too technically difficult to enable, but they routinely have impact on system performance, so-called ‘overhead’. This is because encoding and decoding data is mathematically complicated and so consumes processing power and introduces latency (delays). Most solutions will also have a significant financial cost also.
In business environments where speed of response is important, encryption may not prove possible. Modern network encryption uses special coprocessors purely for encryption purposes to limit performance impact on normal operations. However at a host level, that may not be possible and generic processors may struggle with the overhead introduced by database or volume encryption. Database look-ups during time critical interactions with customers or applications can be completely foiled by imposing encryption.
Although encryption is mentioned in the EU GDPR, it is only mentioned a few times. Each time it is modified with words like “such as”, “may include”, and “as appropriate.” A strictly legal analysis and consideration of the real-world difficulties in implementing encryption would conclude that encryption isn’t mandatory. It is a requirement of the GDPR that Security and Privacy by design is a requirement. Therefore, good practice states that data should be encrypted.
Data breaches are inevitable
On the other hand, breaches of data security are inevitable. Every security professional is taught from day one that considering the following elements does prevent any guarantees of total security.
The complexity of modern networks and the scope of the threat landscape provide their own challenges. Also, the breadth of user behaviour and understanding are also problematic. Given this situation your data could well be misappropriated at some point.
Therefore. assuming the data is in the hands of an individual with criminal intentions, what are the only measures preventing impact on the data subjects? The answer is encryption although effective anonymisation or data minimisation will help too.
It is most common that the first question asked of a company after a breach is whether the data lost was encrypted.
What if you don’t implement encryption?
If your company loses the personal data of EU data subjects, you will be expected to answer the question, “Was the data encrypted?”. Initially it may be law enforcement, the press, your customers, but eventually the regulator will ask as well. This may with a view to pursuing regulatory action. I am anticipating that EU data subjects and, consequently, the regulators, will take a dim view of companies that have not implemented encryption. More severe penalties are likely for those that have not considered using encryption or cannot prove its careful consideration.
I am qualifying my answer somewhat. Does EU GDPR require encryption? My answer is still yes. As a security professional I will assume, in the general case, your network will be breached at some point. Therefore, given the relative maturity of the encryption market, there’s no reason why it should not be a part of every modern information system.
However, that does not mean that it is, on its own, sufficient to meet the demands of the regulator. Neither is it mandated. What is mandated is that companies should examine every opportunity to implement encryption. You must demonstrate that, where it has not been implemented, it is for a good reason of cost-efficiency or proportionality.
Therefore you must take data encryption seriously and build the evidence that you have thoroughly considered data encryption for your business. The fines and other consequences for the inevitable breach of personal data will be that much bigger. As a practice we use encryption and strongly recommend encryption of your data.
Do I really need to be compliant?
Yes, you do. It is the law of the land. The importance of being legally compliant to regulation demonstrates to clients that you take the securing their data seriously. As a business you have the right policies and procedures in place to help should a breach occur.
Have clients really the right to be forgotten?
The simple answer to this is yes but it is not quite that simple. Anyone can ask you about information you hold about them and you are obliged to share this information with them. They also have the right to stop you processing their data. They have the right to ask you to correct it if inaccurate and yes, to delete it. You must know where this data is and be able to prove that you have deleted all of it.
Is it true I cannot send mails to prospect business customers any longer?
No. You can but in order to do this you must first carry out a ‘Legitimate Interest Assessment’ to understand the impact on the rights and freedoms of the individuals concerned. Subject to the outcome, you may be able to communicate with them. If consent has been withdrawn then you cannot use legitimate interest.
Click here to see our full range of services.