Safeguards

Encryption

What is encryption?

Encryption converts readable data into an unreadable form using a secret key, so that only the holder of that key can read it again. In a company it protects data on laptops, mobile phones and external drives, as well as traffic travelling across the internet.

Encryption matters in two places for a business. First, for stored data: the hard disk of a laptop, a company mobile, a USB stick, the external backup drive. Second, for data in transit across the internet, recognisable by the https in the browser address bar, by a VPN connection, meaning an encrypted connection into the company network, or by the secured transfer between mail servers.

The most tangible case is the lost laptop. Without full disk encryption the drive can be removed and read on another machine. The Windows password stops nobody here, because it guards only the login to the operating system. Where full disk encryption is active, the data stay unreadable to whoever finds the device. On Windows the feature is called BitLocker in the Pro editions, on macOS it is FileVault. Current mobile phones encrypt their storage by default once a device passcode is set.

The General Data Protection Regulation names the encryption of personal data expressly in Article 32 as one possible technical measure. It also carries a very practical consequence. Under Article 34(3)(a) GDPR, notification of the affected individuals following a personal data breach may be dispensed with where the data were rendered unintelligible to unauthorised persons by appropriate measures such as encryption. The notification to the data protection authority under Article 33 GDPR remains due regardless.

Encryption stands or falls with how the keys are handled. The recovery key for full disk encryption belongs in a safe place away from the encrypted device, for example in the management's password manager or in the physical safe. If it is lost, the data become permanently unreadable to you as well. The same holds for encrypted backups: the key must remain available even when the very server it was stored on has failed.

The first sensible step is a list of every device that leaves the premises: laptops, company phones, tablets, external drives, USB sticks. Encryption is switched on for each of them and the status recorded. The IT-Check establishes which devices are encrypted, where the recovery keys are held and whether the transmission paths are secured. That record also supports the documentation of technical and organisational measures required by the GDPR.

All terms in the knowledge base

From the term to practice

Where does your business actually stand?

The IT Check reviews your IT across 8 audit areas with more than 100 individual checks and delivers documented findings with a prioritised action plan. From 1,299 € excl. VAT. The first call takes 20 minutes and carries no charge.

Book a first call