The General Data Protection Regulation (GDPR), an EU law that entered into force on the 25th of May 2018, imposes hefty fines on legal and natural persons who unlawfully collect and process personal data. More specifically, the fines can be up to 20 million euros or 4% of the global turnover of the infringer, whichever is higher. The reputational damages resulting from a non-compliance with the GDPR may be even more severe.
Realising the importance of the GDPR and its global scope (it applies also to non-EU organisations processing personal data of EU residents), many companies based in and outside the EU commenced comprehensive GDPR-compliance processes. However, many of them still underestimate the importance of secure communication channels. Even the United Nations (UN) learned the importance of secure communication the hard way. During the conflict in Bosnia, unsecure UN messages were intercepted by one of parties to the conflict and used for planning military attacks. Shortly afterwards, the UN started using secure communications to prevent such incidents.
In the context of the GDPR, the lack of secure communication may allow third parties (e.g., hackers) to access without authorisation personal data processed by an organisation. The stolen data may be used to conduct identity thefts and other illegal acts. To prevent unauthorised access to personal data, Article 32 of the GDPR requires organisations processing personal data to “implement appropriate technical and organisational measures”, including, but not limited to, encryption of personal data.
The term “appropriate technical and organisational measures” is broad and not explicitly defined, although Article 32 lists a few exemplary measures. This means that, in case of an investigation, the data protection authorities of the EU countries will have a full discretion as to what constitutes an appropriate measure within the meaning of the GDPR. Hence, organisations willing to comply with the GDPR need to have evidence that can be used to persuade the data protection authorities that appropriate technical and organisational measures have been taken. The evidence may include the use of messaging applications relying on end-to-end encryption. Such applications are particularly suitable for proving GDPR compliance because the exemplary measures in the GDPR include “encryption of personal data.”
To avoid claims that a messaging application is not an appropriate technical measure within the meaning of the GDPR, it is necessary to use messaging applications based on strong encryption algorithms. FortKnoxster, for example, uses military grade encryption which makes the unauthorised decryption of encrypted messages virtually impossible. Another advantage of FortKnoxster is that the authenticity of all messages exchanged through it is verified with the aim to avoid tampering.
End-to-end encryption messaging applications may not only facilitate GDPR compliance, but also reduce the compliance costs associated with it. An organisation willing to develop its own end-to-end encryption messaging application will incur substantial costs for software development and testing. The fees for using ready-made messaging applications like FortKnoxster constitute just a small fraction of those costs.
It is worth mentioning that, although one can find many free of charge messaging applications that claim to use end-to-end encryption, it is preferable to use paid applications. This is because most free applications base their revenue models on using some data of their users. They may sell or otherwise transfer such data to undefined third parties or use the data to generate customised advertisement banners. This may lead to complications in achieving GDPR compliance as the GDPR requires a clear understanding of the flows of personal data within and outside the organisation concerned.
In conclusion, end-to-end encryption messaging applications allow organisations to ensure and prove GDPR compliance at a reasonable cost. Thus, they reduce the risk of fines and reputational damages resulting from non-compliance with the GDPR.
About Dr. Daniel Dimov
Dr. Daniel Dimov is an EU-based licensed attorney-at-law specializing in Internet law.
Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC) as well as an arbiter with the Asian International Arbitration Centre.
FortKnoxster is founded by skilled entrepreneurs and cyber-security experts, with an extensive experience in the field of online security and cyberdefence. By utilizing our advanced cryptographic solutions combined with the power of the blockchain’s decentralized structure, FortKnoxster makes the world a safer place.
What happens in FortKnoxster, stays in FortKnoxster.
Join FortKnoxster and start protecting your online privacy.
Visit our Facebook page and Twitter page for more inspiration.