True GDPR Compliance Should Focus on Full Encryption … Well Done To Denmark
True GDPR Compliance Should Focus on Encryption … Well Done To Denmark
I have attended so many GDPR compliance talks, and I was surprised about how few companies were talking about encryption. Much of the industry perhaps lacks a bit of leadership from cyber security professionals in pushing forward the case end-to-end encryption.
Unfortunately, if it was left to companies such as Microsoft, we would continue on without any thought of encryption in our documents and emails. But a few countries in the world are now setting good standards in respect to GDPR.
On 1 January 2019, companies in Denmark will have to make sure that all sensitive emails are encrypted with end-to-end encryption (complying fully with Article 9 of GDPR). In this way, not even system administrators will be able to read user’s emails.
And so for an email system which has existed for over 40 years, it is quite shocking that we are only now starting to take the security of emails seriously. Ask Sony about how embarrassing the leak of corporate emails can be.
The move is likely to start a wave of change across the EU, as companies adopt the leadership of Denmark. With the increase in data breaches, it seems that it is one of the best ways to prevent serious leakages of sensitive information. One must wonder why areas such as health care haven’t already moved to end-to-end encryption, as the article covers:
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Presently email is only secured while it is tunnelled over a network connection, and which provides little security on the emails on the server. End-to-end encryption means that the sender can sign an email for its content, and where only the recipient will have the encryption key to read the email.
One way for Bob to send an email to Alice, is for Bob to generate a unique encryption key, and then encrypt the message for Alice. Bob then encrypts the encryption key with Alice’s public key. Alice can then decrypt the key with her private key, and reveal the message. Bob also takes a hash of the message, and encrypts this with his private key, and gives to Alice, she decrypts it with Bob’s public key, and if she gets the same hash, she knows it was Bob who signed the email, and that the email has not been changed:
Conclusions
While the focus in Denmark is on personally sensitive information, it is likely that it will scale out to cover every email sent within a corporate environment. In five years time, cybersecurity will look back on our time as one which cared little about proper security, and basically applied sticking plasters. The future is towards full encryption of data, and every part of its journey. While countries like Finland, Estonia and Denmark seem to value the rights of privacy of citizens, other countries around the world still want to be able to read emails. The strict compliance of GDPR will see the citizen winning out. For those who mine our emails, or who try to hack them, there will be a change coming soon.