Boxcryptor’s GDPR Journey Part 5: How we at Boxcryptor apply encryption to protect our data
Since May 25th 2018 the new General Data Protection (GDPR) applies for Boxcryptor and all companies, processing any personal data of EU citizens. This new provision of the European Union is fundamentally reshaping how personal data is processed within the EU. The amendment is demanding far-ranging changes and re-structuring of the companies. Surveys show that the GDPR is striking fear in many companies affected by this regulation.
We, at Boxcryptor decided to perceive the GDPR as a chance, rather than a threat. Therefore, Boxcryptor CEO Andrea Pfundmeier is going to report how the new GDPR is implemented and applied at Boxcryptor, in a multi-part series of articles.
Read the other parts of the series here:
Part 1 – Getting an overview (Steps 1-4)
Part 2 – Optimization of existing processes (Steps 5-8)
Part 3 – Internal implementation and external data protection officers
Part 4 – Dealing with Third Party Providers
Part 6 – Before GDPR is past GDPR
Encryption and the GDPR
With respect to this article series concerning the GDPR and its’ implementation at Boxcryptor I would now like to talk in more detail about encryption. Firstly, because file encryption with Boxcryptor is our product, secondly because we, the Secomba GmbH are saving all company data in encrypted form, too. In this article I want to point out why encryption is a crucial aspect for reaching GDPR-conformity.
What does the GDPR-framework say with regard to encryption?
In fact, the word “encryption” does not appear at all within the framework of the GDPR. Rather does the GDPR puts the requirement on companies to take “appropriate technical and organizational measures” (EU-GDPR Art.32) for protecting personal data of EU citizens.
Since Boxcryptor is offering state of the art encryption, it qualifies as such an appropriate technical and organizational measure within the GDPR-framework.
Interesting fact: Some governmental data protection institutions do not classify personal data, which is encrypted by a strong encryption process, as personal data anymore.
GDPR-Conformity with Boxcryptor
For the last couple of months, prior to the GDPR coming into force this month (May 25th), we have been asked multiple times which role Boxcryptor assumes with regard to achieving GDPR-conformity. Following are the answers we provided our customers with:
(Company) internal data protection concepts
Boxcryptor is fully supporting the tailormade implementation of existing data protection concepts. It is, for example possible to implement rules defining a minimum password-length or implementing IP-restrictions on a user or group level.
Dealing with data protection violations
In case of a data protection violation, the obligation to notify is not applicable if the lost data was encrypted. Hence, companies using a strong encryption (like the one of Boxcryptor) are able to avoid possible PR disaster. Reason for the non-applicability of the obligation to notify is the above-mentioned fact that some jurisdictions do not consider encrypted personal data as personal data anymore.
“Handling of public cloud service providers”
Boxcryptor is encrypting the data before it is leaving the computer or smartphone - the data will never be in (or transmitted to) the cloud in its’ legible form. Hence, no matter which cloud you have chosen to use, the data will always be within this cloud protected by Boxcryptor’s strong encryption.
Read some additional information on the most favorite cloud providers here
Taking process-oriented action to implement the GDPR:
If a company decides to make use of Boxcryptor there is no need for change in existing processes – the only thing changing (with regard to existing processes) is the storage location of the data used within a process. The use of Boxcryptor is a real no-brainer and can be understood by every employee, without additional training becoming necessary.
Employees and data protection
All data within the company is encrypted comfortably in the background. This way, well known processes are not disrupted by the additional layer of security and all employees are able to continue working efficiently, from day one of the installation. Since all data is encrypted (no matter whether it is customer- or employee data), the employees can rest assured that their (e.g.) personnel file is protected and may only be accessed by the human resource department or the management.
Privacy Impact Assessment
For assessing the impact, it is necessary to clarify what procedure is applied to protect personal data. Boxcryptor is encrypting data with the AES-256 and RSA algorithms. AES-256 is the encryption standard of choice for government institutions, banks and high-security systems worldwide and therefore a well-respected standard for strongly protecting personal data.
Appropriate technical and organizational measure: Documentation, Assessment, Appraisal
Boxcryptor is making use of the state of the art, most secure encryption standard, the software qualifies as “appropriate technical and organizational measure” to encrypt data in accordance with the GDPR.
This is how Boxcryptor is encrypting data
Since our company was founded the team is working with Dropbox. Naturally all data we save is uploaded in encrypted form, only. For this, we are making use of Boxcryptor Company and added all of our employees to this plan. This way working together as a team becomes very easy. Using policies, defining access authorization on an individual user- and on a group-level, ensures every employee may only access those folders necessary for his/her work.
In all of this, it does not matter at all which device is being used by an employee to access the encrypted data on Dropbox. Whether an employee is using Boxcryptor for Windows or for iOS does not play a role for the de- and encryption of shared data. Hence, every employee is able to work on the device he, or she feels most comfortable working on.
Whenever an employee is leaving the company, he can simply be removed from our Boxcryptor account and is immediately losing access to the encrypted data. This way, our data is strongly protected and sure to remain in our control.