How Boxcryptor Can Help With the General Data Protection Regulation (GDPR)
The General Data Protection Regulation is a regulation with great impact on all companies and organizations that handle and store personal data of European citizens. Many actions are necessary, and you can roughly split those adaptations in four major areas:
- Assessing and documenting your data structure
- Storing and handling personal data securely
- Data protection conformity of your processes
- GDPR compliance of third-party software
We can help you with storing and handling personal data securely. Taking good care of secure data storage directly minimizes the risk for your organization in two central matters and allows your team to continue to work with files securely.
Boxcryptor and Encryption for GDPR Compliance
One central aspect of the GDPR is the need of organizations to focus more on data protection measures, such as encryption. Companies that store and handle personal data (therefore, every company) must set up
appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. (GDPR, p. 47)
One of these appropriate technical and organizational measures (TOMs) is encryption. The absolute need to implement such TOMs should be enough reason to set up state-of-the-art encryption for your data. However, there is a second important reason: Companies that do have proper encryption in place, do NOT have to notify their users in case of a data breach because the data is protected accordingly.
The communication to the data subject referred to in paragraph 1 shall not be required if [...] the controller has implemented appropriate technical and organizational protection measures […] such as encryption. (GDPR, Art. 24, p. 53)
How exactly these TOMs should look like is not defined more precisely. However, it is made clear, what they have to achieve to count as “appropriate”. Not any kind of encryption counts.
TOMs have to be measures
that render the personal data unintelligible to any person who is not authorized to access it (GDPR, Art. 34, p. 53).
As soon as you make sure that no third party and only authorized persons can access the sensitive company data, your data is protected well enough. This also has to be the case in a potential data breach. If the worst case happens and someone should get a hold of your data, it should be uninterpretable to this unauthorized person.
We are specialized in guaranteeing exactly this: no-one but your company members can access your data, because it is encrypted locally on your company devices, before it is synchronized to a cloud provider, for example. Our end-to-end encryption with zero knowledge standard reliably keeps out everyone who is not authorized — not just hackers or potential attackers, but also the providers of your cloud storage (such as Amazon, Microsoft, Dropbox, etc.). Thanks to our permission management, you can also select which user groups inside your company can access which content. This way, people from your marketing team do not see files of HR, or HR cannot view files of management when they are not explicitly shared with them.
In Conclusion, With Boxcryptor in Place You Have Two Major Advantages
- Reduced risk of fines: In case of a violation of the GDPR, depending on the type of violation, companies can face penalties between 10 and 20 million Euros; or 2-4% of the total annual turnover of the preceding financial year, whichever is higher. However, TOMs are a mitigating factor in case of a breach. If the worst case occurs and your business faces a complaint, you avoid or lower the penalty through verifiably conducted risk reduction by encryption.
- No risk of losing the trust of your clients and partners: In case of a breach, you do not have to notify partners, customers and authorities, because you protected the data accordingly. Thanks to encryption, there is no risk for the affected parties and, therefore, there is no need of notification. For transparency reasons, we suggest you still let the affected party know what is going on. However, you can assure them that everything is fine and that there is no risk for them.
For more information on how to proceed in the event of a data breach please read our article “Reporting a Data Breach – How Does it Work”.
Why Boxcryptor Qualifies as a TOM
State-of-the-art encryption is named a technical or organizational measure (TOM) to ensure the safety of personal data. If you have such TOMs in place, your organization is protected and — in this area — GDPR compliant. The following shows why Boxcryptor qualifies as a TOM to protect your data according to the GDPR.
Boxcryptor uses a mixture of the AES-256 encryption standard, which is one of the most used and most secure encryption algorithms available today, and RSA encryption. These encryption standards are currently not breakable with the available computing powers. For example: Cracking a 128 bit AES key with a state-of-the-art supercomputer would take longer than the presumed age of the universe. And Boxcryptor even uses 256 bit keys. As of today, no practicable attack against AES exists. Therefore, AES remains the preferred encryption standard for governments, banks, and high security systems around the world. Find more information on these encryption standards here.
In our Technical Overview you will find additional information on the technical setup of Boxcryptor. Read how we protect our servers, how we implement secure authentication or exactly what encryption keys are used for what.
Note: This article describes our view on this topic to our best knowledge. It is not legal advice, nor should it be used to skip legal advice. This information is supplied without liability.