How Boxcryptor Can Help With the GDPR
The General Data Protection Regulation (GDPR) is a regulation with great impact on all companies and organizations that handle and store personal data of European citizens. Many changes and adoptions have to be done and you can roughly split those necessary adaptations in those four main areas.
- Assessing and documenting your data structure
- Storing and handling personal data in a secure manner
- Data protection conformity of your processes
- GDPR compliance of third-party software
We can help you in the area of storing and handling personal data securely. Taking good care of secure data storage directly minimizes the risk for your organization in two central matters and allows your team to continue to work with files securely.
Boxcryptor and Encryption for GDPR Compliance
One central aspect of the GDPR is the need of organizations to focus more on data protection measures, such as encryption. From now on, companies that store and handle personal data (therefore, every company) must set up
appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. (GDPR, p. 47)
One of these appropriate technical and organizational measures (TOM’s) is encryption. The absolute need to implement such TOM’s should be enough reason to set up state of the art encryption for your data. However, there is a second important reason: Companies that do have proper encryption in place, do NOT have to notify their users in case of a data breach, because the data is protected accordingly.
The communication to the data subject referred to in paragraph 1 shall not be required if ... the controller has implemented appropriate technical and organisational protection measures … such as encryption. (GDPR, p 53)
How exactly these TOM’s should look like is not defined more precisely. However, it is made clear, what they have to achieve to count as “appropriate”. Not any kind of encryption counts.
TOM’s have to be measures
that render the personal data unintelligible to any person who is not authorised to access it (GDPR, p 53).
As soon as you make sure that no third party and only authorized persons can access the sensitive company data, your data is protected well enough. This also has to be the case in a potential data breach. If the worst case happens and someone should get a hold of your data, it should be uninterpretable to this unauthorized person.
We are specialized in guaranteeing exactly this: no-one but your company members can access your data, because it is encrypted locally on your company devices, before it is synchronized to a cloud provider, for example. Our end-to-end encryption with zero knowledge standard reliably keeps out everyone who is not authorized – not just hackers or potential attackers, but also the providers of your cloud storage (such as Amazon, Microsoft, Dropbox, etc). Thanks to our permission management, you can also select which user groups inside your company can access which content. This way, people from your marketing team do not see files of HR, or HR cannot view files of management, when they are not explicitly shared with them.
In Conclusion, With Boxcryptor in Place You Have Two Major Advantages
- Reduced risk of fines: In case of a violation of the new GDPR, depending on the type of violation, companies can face penalties between 10 and 20 million Euros; or 2-4% of the total annual turnover of the preceding financial year, whichever is higher. However, TOM’s are a mitigating factor in case of a breach. If the worst case occurs and your business faces a complaint, you avoid or lower the penalty through verifiably conducted risk reduction by encryption.
- No risk of losing the trust of your clients and partners: In case of a breach, you do not have to notify partners, customers and authorities, because you protected the data accordingly. Thanks to encryption, there is no risk for the affected parties and, therefore, there is no need of notification. For transparency reasons, we suggest you still let the affected party know what is going on. However, you can assure them that everything is fine and that there is no risk for them.
Why Boxcryptor Qualifies as a TOM
State of the art encryption is named a technical or organizational measure (TOM) to ensure the safety of personal data. If you have such TOM’s in place, your organization is protected and – in this area – GDPR compliant. The following shows why Boxcryptor qualifies as a TOM to protect your data according to the GDPR.
Boxcryptor uses a mixture of the AES-256 encryption standard, which is one of the most used and most secure encryption algorithms available today, and RSA encryption. These encryption standards are currently not breakable with the available computing powers. For example: Cracking a 128 bit AES key with a state-of-the-art supercomputer would take longer than the presumed age of the universe. And Boxcryptor even uses 256 bit keys. As of today, no practicable attack against AES exists. Therefore, AES remains the preferred encryption standard for governments, banks and high security systems around the world. Find more information on these encryption standards here.
In our Technical Overview you will find additional information on the technical setup of Boxcryptor. Read how we protect our servers, how we implement secure authentication or exactly what encryption keys are used for what.
Note: This article describes our view on this topic to our best knowledge. It is not legal advice, nor should it be used to skip legal advice. This information is supplied without liability.
Get our exclusive, free whitepaper about the GDPR
A whitepaper with a comprehensive overview of the GDPR: We collected the most important information to assist you with keeping in mind what's important, with regard to the GDPR. Your business is ready to take on the Industry 4.0 and you want to utilize the opportunities the GDPR brings with it? Then get our exclusive, free whitepaper now.
By entering my email address I agree that Secomba GmbH sends me information via email. I can revoke this agreement at any time.