With GDPR, it's time to get personal with data encryption

public://pictures/lwmartin.jpg
Luther Martin, Distinguished Technologist, Micro Focus

When you’re a chief information security officer, it's reasonable to expect that some of your more technical skills might atrophy. You probably won’t be writing any software, so you'll almost certainly forget the details of the syntax of your favorite programming language. And if you preferred the EMACS editor, good luck with remembering those arcane control sequences after you review your first security policy.

But you definitely don't lose your ability to use a search engine. Even the most nontechnical CISOs should be fully capable of doing basic searches. This means that anyone who entices CISOs to an event and ends up telling them nothing they couldn't have found out with a quick online search is going to be a big disappointment.

During my seven years as a CISO I was routinely invited to attend events that sounded good but ended up being thinly veiled marketing pitches. Because I got so irritated by having my time wasted as an attendee, I now, as a presenter, spend a lot of time finding interesting things that people probably don't know and will make them think that their time at events such as the Micro Focus Cybersecurity Summit 2018, being held this week in Washington, DC, is well spent.

At that conference, I’ll be talking about regulatory changes, including the European Union's General Data Protection Regulation (GDPR) and related laws. This topic is much more interesting than it looks at first glance. Here's why. 

Top 4 Myths Regarding GDPR Compliance Beyond the EU

Get your head around GDPR

Here's one reason to get up to speed: The GDPR requires the right to erasure (sometimes called the right to be forgotten); I'll be discussing what that means and how you might be able to implement it.

The GDPR is vague about exactly what the right to erasure means. The regulation's intent is to give EU citizens control over their personal data. If they want to tell a business that it cannot use their data anymore, then the business needs to comply. But there are lots of details around exactly how to do that that are still not known.

A report by the European Union Agency for Network and Information Security (ENISA) noted that there is a clear trade-off between the thoroughness and the practicality of possible ways to implement the right to erasure:

A strict interpretation would require that all copies of the data be erased and removed from any derived or aggregated representations to the point where recovering the data is impossible by any known technical means. A slightly weaker (and possibly more practical) interpretation would allow encrypted copies of the data to survive, as long as they cannot be deciphered by unauthorized parties. An even weaker (and more practical) interpretation would allow clear text copies of the data to survive, as long as the data would no longer appear in public indices, database query results, or in the results of search engines.

The strict interpretation may be impractical to implement, so that the EU may have to accept a weaker interpretation of what it means to forget data. It is good to see that explicitly acknowledged.

Get personal with encryption

The next level down from the strict interpretation is perhaps the most interesting. If you are encrypting personal information, you may already be satisfying the right to erasure, at no additional cost. And note that this does not require any additional steps such as destroying or deleting the key that was used to encrypt the personal information. The fact that it is encrypted may be enough.

It might be hard to convince EU courts that the least strict of these interpretations is broadly applicable. It might make sense, for example, to satisfy the right to erasure for information that is available on the Internet by simply making it unavailable to search engines.

That is exactly what the Court of Justice of the European Union ruled in Google Spain vs. AEPD and Mario Costeja González, but it might be harder to convince them that a business can satisfy the right to erasure just by ensuring that certain personal information does not get returned by database queries.

It is essentially impossible to remove information from the Internet, so making information unavailable to search engines may be the closest approximation to erasing data that is possible. But since it is very feasible to delete information from a database, it seems likely that it will be much harder to convince courts that just limiting what is returned in queries is an adequate way to erase personal data.

So complying with the right to erasure that the GDPR mandates might not be as hard as you'd expect. In some cases, you may be able to meet this requirement by simply encrypting personal information. And if you're already doing that, the right to erasure might not be such a headache after all. It might even end up being the easiest part of the GDPR to comply with.

[ Webinar: Get Started with Seamless App Sec in a Single Day (Jan. 23) ]

Go outside of the box

Expect similar outside-of-the-box discussions at the Cybersecurity Summit 2018 session on the GDPR and related regulations. You might just learn something new and interesting from this session. See you there.

Share your thoughts on erasure and GDPR. Has your team grappled with this issue? Join the discussion in the comments below.