GDPR, Encryption, and Right of Erasure

The European General Data Protection Regulation (GDPR) has transformed the way businesses think about protecting private data - not just in the EU, but worldwide. Organizations of all sizes and types, and cloud service providers small and large, must adjust to the notion that people now fully own information about themselves. I recently sat down with Patrick Townsend, Founder and CEO of Townsend Security, a company that specializes in encryption and key management, to discuss GDPR, the right of erasure (also known as the right to be forgotten), and how to avoid bad key management practices that will result in GDPR compliance failures.

Hi Patrick. GDPR is a pretty serious compliance regulation that requires major changes to IT systems and the way organizations relate to their customers, employees, and external partners. It is hard to overstate the impact of the regulation.

It is absolutely amazing. GDPR is truly revolutionizing the way all industries think about data privacy – both in and out of the EU. Fundamentally, GDPR returns control of information to individuals – whether they are customers, employees, partners, etc. – directly to their own control. Historically, businesses have collected information and treated it like their own – and that ends with GDPR. Further, we now need to get permission to store and share an individual’s data and they can ask for a copy of that information at any time. Additionally, within Article 17, GDPR outlines the “right of erasure” also known as “the right to be forgotten.” This means if an individual asks you to delete their data, you must do that and provide confirmation.

Finally, there are harsh penalties if you fail to comply – especially if there is negligence. Under GDPR, organizations in breach of the regulation can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).

How does data protection work in the new GDPR world?

Well, data protection is an explicit requirement under GDPR. There are several references to encryption within the regulation, which is one of the best ways to protect data – how most companies will protect their private data. Organizations also cannot forget the importance of encryption key management.

Encryption and key management have a deep history of standards and certifications. The NIST standard, for example, will be helpful to organizations as they deploy data protection. Encryption that has been NIST validated proves that it has been reviewed and meets industry standards – which isn’t always the case with homegrown encryption and key management methods. As a company, we have seen organizations do everything from storing keys on the same server as the encrypted data to writing their encryption keys into application code.

It is important to point out, that under GDPR, data security requirements apply to both data controllers (those of us who accept information, with permission) as well as data processors (such as a cloud provider or other IaaS offering). Additionally, if data flows through your system, you are considered a data processor, even if you don’t use it.

The most difficult part of encryption has to do with creating, protecting, and deploying encryption keys - and there are a lot of ways to get key management wrong.

Exactly. Key management is the part of data security that people struggle with the most. A lot of people don’t realize that it is critical to protect encryption keys away from the encrypted data. There are a lot of ways to incorrectly store encryption keys. As mentioned earlier, you can store keys in your code, in a file in the clear, or on a USB stick, for example. None of these will stand up under scrutiny.

When you deploy encryption, you also need to deploy an encryption key manager. At Townsend Security, we have a FIPS compliant centralized key management solution called Alliance Key Manager (there are also others on the market). Without a key manager, it is incredibly easy for an attacker to get a key that is improperly stored and break into your encrypted data. We have seen this.

Fortunately, ISVs and database vendors have been working hard to do things right. For example, Microsoft SQL Server Enterprise includes Transparent Data Encryption (TDE) to encrypt data without application changes. Additionally, Microsoft also includes an Extensible Key Management (EKM) option that allows vendors like us to properly store and manage encryption keys separately.

[View Townsend Security’s Definitive Guide to SQL Server Encryption & Key Management to learn more about protecting data on Microsoft SQL Server]

The Key Management Interoperability Protocol (KMIP) is another standard that has made encryption key management much more easily accessible. MongoDB Enterprise, for example, has adopted this standard. They offer FIPS validated AES encryption built right into their product, and have adopted KMIP, providing users an easy way to properly manage keys.

Yeah, you have made some good points. Fortunately, it is fairly easy to deploy good encryption key management that is affordable, easy to install and configure, and easy to integrate with your encryption strategy, right?

Key management has earned a reputation of being costly and difficult, which was true 10 years ago. I remember watching technicians spend weeks and huge budgets deploying key management systems. Today, it is completely different. Use our key manager as an example. The process now takes minutes. And you aren’t limited to just one platform. Because data spans multiple environments, you can easily launch the solution in the cloud, as a VMware software appliance, or as a traditional hardware security module (HSM). By answering a few questions, you have a fully configured, ready-to-use key manager.

There are also some important things to look for in an encryption key manager. In addition to the standards already mentioned (NIST, FIPS, KMIP, etc.), a good key management solution will come with client side applications, SDKs, and sample code that allow for easy integrations with multiple applications and databases.

Let’s talk a little more about Article 17, Right to Erasure, also known as the right to be forgotten.

It is important to note that GDPR is segmented into multiple articles. Article 17 is the right to erasure, or right to be forgotten, and it is critical. Under GDPR, an individual with personal information is defined as a data subject (employee, consumer, partner, etc.) and can ask you to delete their information. Not only do they have to grant permission to store their data, but they can revoke that permission at any time. Article 17 covers a lot of ground and doesn’t just require that you delete data upon request, but also that you also must be aware of what data you have – and in the event of a deletion request, provide confirmation that it is no longer anywhere on your systems.

You recently wrote a great blog showing how businesses can take a key management approach to Article 17, which I thought was pretty cool.

Yes, the right to erasure can be a real challenge. There are different ways of approaching it through traditional IT mechanisms, but here is the method that I would take. Since businesses are already deploying encryption, what if we assigned a unique encryption key to each data subject? In the event that a data processor or data controller needs to honor an erasure request, or no longer needs the data, all that needs to happen is the deletion of an encryption key. That effectively deletes the data that is encrypted with that key. In the security world, this known as cryptographic zeroization and is very effective, as well as covered by standards. That not only removes the person’s data effectively from your online databases, but also every backup, which can be quite difficult for many companies to accomplish. Going forward, I think that this method is going to gain a lot more traction.

Visit Townsend Security’s website to learn more about Alliance Key Manager, their centralized encryption key manager. The solution provides full life-cycle management of encryption keys for a wide variety of applications to help organizations meet PCI DSS, HIPAA, GDPR, etc. Available at no extra charge, Townsend Security includes ready-to-use security applications (SQL Server, Drupal, more), SDKs, and sample code (Java, C#, Perl, PHP, more) for developers.