Why you need to start taking data protection seriously - and how ESET can help

What is GDPR?

Are you GDPR-compliant?

In May 2018, a new EU-wide data protection regulation comes into force.

If it affects you, you will need to start to thinking about compliance now. This site is designed to help you understand the GDPR, quantify the requirements, and offer solutions. The General Data Protection Regulation (GDPR) will affect every organization in Europe that handles personal data of any kind. It will also affect any company that does business in the EU. The rules are complex and fines for non-compliance are significant (up to €20 million).

But you are in the right place to learn more!

calendar due date GDPR

Get your free guide

ESET and its legal advisors have produced this in-depth guide to examine how the new EU regulation will affect you.

guide general data protection regulation

Online compliance check

This site is designed to help you understand the GDPR, quantify the requirements, and offer solutions.

Complying with GDPR, step by step

The implications of the GDPR are complex, so we have broken down the compliance process into three groups of measures that you should consider, subdivided into various areas of more detailed explanation. Just click on the bars in the diagram below to examine these areas at your convenience.

+In summary

Some of the principles set out in the GDPR are a continuation of those set out in the existing Data Protection Directive, namely: fairness, lawfulness and transparency; limitation of purpose; data minimization; data quality; security, integrity and confidentiality.

The GDPR establishes a new accountability principle by making data controllers responsible for demonstrating compliance with the principles. As well, the GDPR adds new aspects to the existing data protection principles, as follows

Lawfulness, fairness and transparency – Personal data must now be processed in a transparent manner in relation to the data subject.

Limitation of purpose – With some caveats, archiving of personal data which is in the public interest will not be considered incompatible with the original processing purposes.

Storage – Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Accountability – The data controller becomes responsible for, and must be able to demonstrate, compliance with the principles.

+Organizational structure requirements

Under the GDPR, you must implement a wide range of measures in order to ensure that you reduce the risk of breaching the GDPR and to allow you to prove that you take data governance seriously. Among the necessary accountability measures are: Privacy Impact Assessments, audits, policy reviews, activity records and (potentially) appointing a data protection officer (DPO).

The GDPR introduces the obligation for certain organizations to appoint a Data Protection Officer (DPO). Organizations must appoint a staff member or an external consultant as its DPO.

If you are a marketer with a large consumer database, you will probably need to appoint a DPO; national data protection authorities are expected to provide guidance on who qualifies.

Your DPO will be responsible for monitoring compliance with the GDPR, advising you of your obligations, advising on when and how a privacy impact assessment should be carried out, and be the contact point for enquiries from national data protection authorities and individuals.

The concept of a one-stop shop allows an organization which is established in several EU countries to deal with only one national data protection authority , although the rules for determining which DPA should take this role, and how they would handle complaints, are complex in some cases.

+Processes, procedures and policies

The GDPR redefines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored otherwise processed”.

This a broader definition than before and does not take into consideration whether the breach creates harm to the individual. If you suffer a data security breach, you must inform your national data protection authority immediately, or no later than 72 hours after discovering the breach.

However, you are exempted from notifying individuals if you have implemented appropriate technical and organizational measures to protect the personal data, such as encryption.

An important part of complying with the GDPR is privacy by design, i.e. designing each new process or product with privacy requirements front and center. This approach, while previously best practice, is now an explicit requirement.

A data protection impact assessment, also known as a privacy impact assessment (PIA), is intended to identify and minimize non-compliance risks.

The GDPR makes PIAs a formal requirement; specifically, controllers must ensure that a PIA has been run, before it begins, on any “high risk” processing activity.

If you operate internationally, your rules and processes for transferring data to non-EU jurisdictions will be a significant consideration, as the penalties for non-compliance or transfer of data to jurisdictions not recognized (by the European Commission) as having adequate data protection regulation will become much more severe under the GDPR.

+Awareness of data security

Now is the time to start explaining the need for GDPR compliance to your own employees. You may already need to start planning revised procedures to deal with the GDPR’s new transparency and individual rights provisions. This could have significant financial, IT and training implications.

+Accountability - technical measures

The GDPR makes  controllers responsible for demonstrating compliance with its data protection principles, so you will need to make sure that you have clear policies in place to prove that you meet the required standards by regularly monitoring, reviewing and assessing your data processing procedures, building in safeguards, and ensuring that your staff are trained to understand their obligations – and be ready to demonstrate this at any time, when required to do so by your national data protection authority.

+Data breach – technical measures

You must prepare for data security breaches (defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored otherwise processed”) by putting clear policies and tested procedures in place so as to ensure that you can react to and notify any data breach where required.

Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.

+Ensure data subject rights - technically

The GDPR strengthens the rights of data subjects , for example by adding the right to require information about data being processed about themselves, access to the data in certain circumstances, and correction of data which is wrong.

One of the main aims of the GDPR is to bolster the rights of individuals. As a result, the rules for dealing with subject access requests will change, and you will need to update your procedures to reflect this.

In most cases you will not be able to charge for complying with a request and normally you will have just a month to comply, rather than the current 30 days.

The right to be forgotten (‘erasure’ in the terminology of the GDPR) allows individuals to require your data controllers to erase their personal data without undue delay in certain situations, for instance where there is a problem with the underlying legality of the processing, or where they withdraw consent.

Third parties with whom you share individuals’ data are also covered by these rules.

The GDPR defines profiling as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict certain aspects concerning that natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behaviour, location or movement”; however, there is some ambiguity about how data subjects’ right not to be subject to decisions based on profiling will be enforced.

The GDPR introduces a new right to data portability, which goes beyond individuals’ right to require that you provide their data in a commonly used electronic form this and requires that the controller provide information in a structured, commonly used and machine-readable form.

There are some limits to this rule, for instance it only applies to personal data processed by automated means.

As part of its aim to bolster the rights of individuals, the European Commission is also granting a right to restrict certain processing and a right to object to personal data being processed for direct marketing purposes, including profiling activities for direct marketing purposes.

Once an individual objects, their data must not be processed for direct marketing any further and the individual’s contact details should be added to an in-house suppression file.

Organizations must inform individuals about their right to object to the processing of their data in a way which is explicit and separate from other information which they must also provide to individuals.

+Communicating privacy info (consents, fair processing notices)

You may need to review how you seek, obtain and record consent; a data subject’s consent to processing of their personal data must be as easy to withdraw as to give, and must also be a positive indication of agreement to personal data being processed – it cannot be inferred from silence, pre-ticked boxes or inactivity.

The GDPR grants special protections when it comes to the handling of personal data pertaining to children, particularly in relation to commercial internet services like social networking.

Online, parental prior consent is required for use personal data for anyone under 13 years of age; Member States can set their own rules for those aged 13 to 15. If they choose not to, parental consent is required for children under 16 years of age.

As a result, you should start thinking about how to implement robust systems to verify individuals’ ages and to gather parents’ or guardians’ consent to process such data.

Consent must be verifiable, and when collecting children’s data your privacy notice must be written in language that children will understand.

The GDPR will probably increase the range of things you have to tell data subjects , for instance your legal basis for processing their data, your data retention periods and their right to complain to their national data protection authority if they think there is a problem with the way you are handling their data; note that the GDPR requires this information to be provided in concise, clear language.

+Data security (integrity and confidentiality)

The GDPR sets out data security principles similar to those in the current directive, including: fairness, lawfulness and transparency; purpose limitation; data minimization; data quality; security, integrity and confidentiality.

You must ensure that personal data is processed in a manner that ensures its security, including protection against unauthorized or unlawful processing, and against accidental loss, destruction or damage: “The organisation and any outsourced service provider shall implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk”.

The regulation suggests a number of security measures which can be used to achieve data protection, including: pseudonymization and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data; the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring personal data processing security.

The GDPR specifies encryption as one approach that can help to ensure compliance with some of its obligations. To quote from the regulation:

Article 32 – Security of processing

“1.   Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data […]”

Article 34 – Communication of a personal data breach to the data subject

“3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met: (a) controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption […]”

+Data documentation, legal basis and audit

You should document what personal data you hold, where it came from and with whom you share it.

If you have inaccurate personal data and have shared this with another organization, the GDPR requires that you tell the other organization about the inaccuracy so that it can correct its own records. To do this may require an information audit across your organization or within particular business areas. This will also help you to comply with the GDPR’s accountability principle.

Under the GDPR, you should examine how you process personal data and identify the legal basis on which you carry out and document these processes.

This is necessary because some individuals’ rights will be modified by the GDPR depending on your legal basis for processing their personal data. One example is that people will have a stronger right to have their data deleted where you use consent as your legal basis for processing. However, consent is just one of a number of different ways of legitimizing processing activity and may not be the best (as it can be withdrawn).

The information presented on this webpage does not constitute a legal opinion, and users should not rely on its accuracy when making financial or business decisions. ESET will not be liable for outcomes resulting from such actions. Always seek independent legal advice.

Join our GDPR webinar

Talk to our experts about how the new General Data Protection Regulation will affect your business. ESET is hosting webinars to explain the issues around the GDPR. These webinars are free to attend: just sign up below and we’ll invite you to the next event.

Encryption as a solution

What is encryption?

Encryption is the process of encoding information in a way that prevents unauthorized parties from being able to read it.

Key length and encryption strength

Encryption strength is most commonly equated to key length (bits) and the encryption algorithm used. The simplest way to defeat encryption is to try all the possible keys. This is known as a brute-force attack, but longer keys have made this approach ineffective.

To brute force a 128-bit AES key, every one of the roughly 7 billion people on Earth would have to check 1 billion keys a second for around 1.5 trillion years to test every key.

So attackers do not typically try to reverse-engineer the algorithm or brute force the key. Instead, they look for vulnerabilities in the encryption software, or attempt infect the system with malware to capture passwords or the key as they are processed.

To minimize these risks, you should use an independently validated encryption product and run an advanced, up-to-date anti-malware solution.

How does it work?

Encryption is applied, most commonly, in two different ways:

Encrypted storage – often referred to as ‘data at rest’ – is most commonly used to encrypt an entire disk, drive or device.

This type of encryption becomes effective only once the system is stopped, the drive ejected or the encryption key blocked.

Encrypted content also referred to as granular encryption – means, typically, encrypting files or text at the application level.

The most common example is email encryption, where the message format must remain intact for the email client application to be able to handle it, but the text body of the email is encrypted along with any attachments.

eset data encryption example

What do I need from encryption?

While key length and the range of software features are important, they do not tell you how well a product will perform from the user’s point of view – or from the administrator’s.

FIPS - 140 Validation

The most widely accepted independent validation is the FIPS-140 standard. If a product is validated to FIPS-140 then it is already more secure than most situations demand and will be acceptable under the GDPR and other regulations.

Ease of use for non-technical users

There will always be situations where your employees will need to decide whether or not to encrypt a document, email, etc. It is vital that they are able to use the software provided and can be confident that encrypting data will not lock them – or authorized recipients – out.

Remote management of keys, settings and security policy

To avoid staff having to make security decisions, encryption can be enforced everywhere – but this tends to restrict legitimate business processes and can stifle productivity. The inclusion of a remote management capability – one that allows changing of encryption keys, functionality or security policy settings for remote users, who typically represent the biggest security issue – means that the default settings for enforced encryption and security policy can be set higher without limiting normal processes elsewhere in the business.

Management of Encryption Keys

One of the biggest usability challenges is how users are expected to share encrypted information. There are two traditional methods:
Shared passwords, which suffer from being easy-to-remember-and-insecure or impossible-to-remember-and-secure-but-written-down-or-forgotten, or;
Public-key encryption, which works well across smaller workgroups with no or low staff turnover, but becomes complex and problematic with larger or more dynamic teams.
Using centrally-managed, shared encryption keys avoids these problems, with the added bonus of mirroring the way that physical keys are used to lock our houses, apartments, cars, etc. Staff already understand this concept, and it only needs explaining once. Coupled with a premium remote-management system, shared encryption keys strike the optimum balance of security and practicality.

Try ESET DESlock+ for free

While key length and the range of software features are important, they do not tell you how well a product will perform from the user's point of view - or from the administrator's.

How ESET can help

Our solution:
DESlock Encryption by ESET

Encrypting the personal data in your systems can help satisfy many requirements of the GDPR. ESET’s solution is powerful, simple to deploy, and can safely encrypt hard drives, removable media, files and email.

DESlock Encryption allows you to meet data security obligations by easily enforcing encryption policies while keeping productivity high. With low help-desk overhead and short deployment cycles, no other product can match DESlock for flexibility and ease of use.

The client side requires minimal user interaction, improving compliance and the security of your company data from a single MSI package. The server side makes it easy to manage users’ and workstations and extend protection of your company beyond your corporate network.

What DESlock Encryption offers

Simple and powerful encryption for organizations of all sizes safely encrypts files on hard drives, portable devices and sent via email

Certification: FIPS 140-2 Validated 256 bit AES encryption for assured security

Hybrid-cloud based management server for full remote control of endpoint encryption keys and security policy

Support for Microsoft® Windows® 10, 8, 8.1 including UEFI and GPT, 7, Vista, XP SP 3; Microsoft Windows Server 2003-2012; Apple iOS

Algorithms & standards: AES 256 bit, AES 128 bit, SHA 256 bit, SHA1 160 bit, RSA 1024 bit, Triple DES 112 bit, Blowfish 128 bit

DESlock+ Pro – The benefits in detail

Full disk encryption
Fast and transparent pre-boot security

Removable media encryption
Policy-driven removable media encryption suitable for any corporate security policy

Outlook plugin for email & attachments
Easily send and receive encrypted emails and attachments through Outlook

Virtual disks & encrypted archives
Create a secure, encrypted volume on your PC or in another location or an encrypted copy of an entire directory tree and its files

File & folder encryption
Fast and transparent, provides an extra layer of security

Text & clipboard encryption
Encrypt all or part of a text window – web-browsers, database memo-fields or web-mail

Centralised management compatible
Full control of licensing and software features, security policy and encryption keys.

DESlock+ Go portable encryption
Easy to use on-device software for deployment on unlicensed systems

Try ESET DESlock+ for free

Just fill in your details and we'll set up a trial, so that you can experience the benefits of encryption by ESET

We use cookies to ensure you get the best experience on our website. More info.