Lexicon > Encryption

IT Lexicon

Encryption

Encryption is a reversible operation applied to data, possibly personal data, in order to make it incomprehensible to anyone who is not authorized to access it.

In fact, in principle, only people with a decryption key can access the data in clear text and thus process it.

Encryption contributes to the security of personal data processing, and in particular to ensuring its confidentiality and integrity.

It can be performed on data at rest but also in transit.

There are two main encryption processes, symmetric and asymmetric.

Symmetric encryption refers to the situation in which encryption and decryption are performed using the same key. The choice of the key must therefore be carefully considered in order to prevent malicious persons from being able to decrypt the data.

Asymmetric encryption refers to the situation in which the recipient has two decryption keys, a private key and a public key, the latter being accessible to the sender. The sender uses the recipient’s public key to encrypt the message and the recipient uses his private key to decrypt it.

The encryption of data can also be part of their cryptographic erasure by making them definitively inaccessible by the final destruction of the decryption key, provided that the initial encryption is sufficiently robust to resist decryption without knowledge of the key.

Indeed, in order to constitute an effective security measure, the relevant controller or processor must provide that:

  • The encryption algorithm used is recognized and secure;
  • The encryption keys used are of sufficient length;
  • The encryption keys used are properly managed (not on the media and in any case, not in clear text);
  • Encryption is applied to the entire medium or to a logical subdivision of it (as opposed to encryption of individual directories or files).

GDPR Point

“In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.

Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.

In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.

Recital 83 of the GDPR

Point of jurisprudence

The  FrenchConstitutional Council was able to recall that “The first paragraph of article 434-15-2 of the penal code punishes with a three-year prison sentence and a fine of 270,000 euros the fact that “anyone” who has knowledge of the secret decryption agreement of a means of cryptology, likely to have been used to prepare, facilitate or commit an offence, refuses to deliver it or to implement it. It results from the constant jurisprudence of the Court of Cassation, as it appears from the decision of referral of the priority question of constitutionality, that this obligation weighs on any person, including the one suspected of having committed the offence with the help of this means of cryptology.

Conseil constitutionnel, March 30, 2018, No. 2018-696

The Bouchara Law firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.