Privacy Laws and Regulations: Where Does Encryption Apply?

By on

Click to learn more about author Muhammad Hamza Shahid.

The importance of data is increasing on scales never seen before, becoming one of the most precious assets for organizations worldwide. Various privacy laws and regulations have compelled companies to store and keep their consumers’ data secure as much as possible.   

The latest research by IDC reveals that people will create 102.6 zettabytes of data every year by the end of 2023. Considering this exponential rise in the volume of the data, consumers will become an easy target for hackers and other cybercriminals.

Similarly, organizations will have to improve their prevailing data encryption practices to bypass these criminals. 

Data Encryption According to the GDPR

The General Data Protection Regulation (GDPR) is one of the most significant data privacy regulations globally. This consumer privacy law perceives data encryption as a crucial aspect of data privacy. Article 32, “Security of processing” states that the processor has to implement the required technical and organizational measures to enhance security level after taking into account the costs of state of the art implementation, nature, scope, purposes, and context of processing alongside the rights and freedom of natural persons. 

Likewise, companies are bound to encrypt and anonymize the personal data of their customers, and they should focus on ensuring the confidentiality and integrity of processing systems and devices. Besides, organizations are responsible for testing the effectiveness of technical measures as it will allow them to improve the security of the processing to a certain extent.

Recital 83 of the GDPR, discusses consumers’ data protection mechanism in detail:

“The controller or processor must examine the risks associated with the processing and implement measures or steps to reduce those risks like encryption accordingly. All these measures should help increase the overall security and confidentiality of personal data as well.”

Moreover, the processor/controller has to consider other risks inherent in personal data processing, like unlawful or accidental destruction, loss, alteration, or unauthorized disclosure of personal data, which may become a cause of material/non-material damage.

Overall, the GDPR needs companies to follow the notions of data encryption practically. Similarly, the data encryption practices should secure customers’ data and, at the same time, decrease the risks related to data transfer such as cyberattacks.  

That said, organizations working in 5, 9, and 14 eyes countries will have to face another challenge in the shape of the data retention laws of respective countries, apart from executing GDPR guidelines pragmatically.

Encryption Laws According to the CCPA

The California Consumer Privacy Act (CCPA) does not categorically specify data encryption. However, organizations are motivated to apply data security measures to the data they store. 

Interestingly, there are no fines associated with data encryption, but in circumstances in which an incident of data breach occurs, companies have to pay the penalty of $750 per consumer.

Apart from that, organizations need to fulfill data subject rights (DSRs) as they have to incorporate encryption with the data. By doing so, they can protect the consumers’ data at the time of transfer, sharing, and storage.

As per the California Civil Code Section 1798.81.5:

“A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

Encryption Laws According to the LGPD

Compared to the CCPA, the LGPD (Brazil’s General Data Protection Law) does not compel organizations to encrypt their customers’ data. Still, the law instructs companies to apply enough security measures when processing their customers’ personal data or information.

In this situation, the encryption role comes in handy as it takes the protection of consumer data to new heights. According to the LGPD law, anonymous or anonymized data does not come under personal data.

Encryption Laws According to HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to implement data security to protect patient information from data sprawl and other cyber threats.

The law emphasizes the significance of protected health information (PHI) encryption and defines it as an “addressable” requirement. As per the HIPAA encryption requirements for transmission security, covered entities should implement a safety procedure that is helpful when it comes to encrypting PHI.

In cases where the organization can justify that it cannot apply the required level of encryption and provides an alternative method of data protection, it does not need to encrypt PHI data.

Fines Associated with the Encryption Laws

As far as the GDPR, CCPA, and LGPD laws are concerned, they have not described the penalties related to the non-implementation of encryption. But, organizations should apply the desired level of encryption to secure their consumers’ data to protect themselves from the possibility of hefty data breach fines.

Recently, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced its first penalty of 2020. The practice in question will pay a fine of $100,000 due to the lack of compliance with HIPAA security rules.

Encryption Best Practices

Encryption plays an important part when an organization wants to improve its security. Here is the list of different practices a company can follow to implement an effective encryption system on its premises. These practices are:

  • Keep your encryption key secure; otherwise unwanted people can access your crucial customer data
  • Encrypt all types of sensitive data by following all the required data security measures
  • Evaluate the impact of data encryption strategy organization-wide
  • No matter what the state of data is, i.e., in motion (when being transferred), at rest (stored for later use), or in use ( at the time of being generated, viewed and erased), apply an efficient data encryption procedure to all

Wrapping Up

Data encryption is no longer just an option for organizations. It’s now a requirement due to various security issues like hacking, data theft, privacy invasion, and more. It has turned out to be a necessity that helps companies keep their consumers’ information secure. 

Therefore, organizations must follow the above-mentioned data encryption practices to encrypt all their sensitive data and enhance customers’ trust. 

Companies that are serious about safeguarding their customer information, the integrity of their data, and respecting government policies should not underestimate the value of encryption.

Leave a Reply