General Data Protection Regulation (GDPR) to replace the Data Protection Directive

After over 15 years of discussions and negotiation, the European Union (EU) released the Data Protection Directive (Directive 95/46/EC) in 1995. Considered the first formal data protection policy, the directive regulated the processing, collection and storage of personal data for all the EU citizens and applied it to companies outside the EU region that processed data for EU residents. In April 2016, the EU Parliament approved the General Data Protection Regulation (GDPR) to replace the Data Protection Directive to strengthen and unify data protection for all individuals within the EU and address the export of personal data externally.

 GDPR is intended to standardize how companies comply with data protection regulations when doing business in the EU or with EU citizens. Enforcement mechanisms associated with this regulation are designed to incentivize full compliance, but include severe penalties for non-compliant companies. In an effort to uphold the tenets of Directive 95/46/EC regulations, most companies adopted different encryption techniques to protect users’ data at rest and in transit. This method of compliance, however, will result in an even bigger challenge – specifically with respect to the emphasis of GDPR – users’ rights to be forgotten, rights to access their information, and rights to rectify incorrect information. The use of end-to-end encryption addresses a number of data protection requirements in GDPR. For example, companies implementing encryption technology with their email systems can use any known PKI encryption technique (S/MIME, RMS, PGP) to encrypt all their emails. Those encrypted emails can be forwarded to their archive for permanent storage. One major issue with this approach is that no archiving solution can read and index encrypted emails, which results in a violation of all the users’ rights mentioned; resulting in a high cost.

Zeva Inc, has successfully implemented solutions to address this very challenge for US companies for years. Using the Zeva DecryptNaBox platform, companies are able to decrypt encrypted messages en route to the archive. Using this approach, messages are still encrypted in the users’ and journaling mailboxes – and at the same time – a decrypted copy of the original messages are sent to the archive for indexing and future use and search. Zeva’s DecryptNaBox KeyDecrypt acts as an extension to the Certification Authority and KeyDecrypt uses the same protection level as the Certificate Authority (FPKI, EU QCA and FIPS 140-2 level 3). The different implementations (Lite, Standard and Professional) of Zeva’s DataDecrypt Client utilize this KeyDecrypt component for session key decryption operations; they use the decrypted session key to decrypt messages. This patented separation of duties between the KeyDecrypt and DataDecrypt Clients ensures there is no compromise of the security of the users’ private keys, while enabling companies to comply with user data protection regulations.

As an extension of the DecyptNaBox suite, DataDecrypt Enterprise, a product that sits between the company journaling mailbox and the archiving solution automatically detects new messages in the journaling mailbox, fetches them, extracts the message encrypted session keys, uses KeyDecrypt to decrypt the session keys, and uses the decrypted session keys to decrypt the actual message. It then drops the encrypted message in an SMTP folder for the journaling solution to pick it up and archive it. Encryption has been cited in GDPR directives as a method to help companies comply with data protection regulations. Companies who have experienced breaches would incur smaller fines as a result of breach follow up activities and won’t be required to notify subjects about the breach, as appropriate data security measures, such as encryption, have been implemented.

In summary, traditional encryption comes at a cost; not being able to read and index encrypted material. Using the Zeva’s DecryptNaBox platform enables companies to address and head off the issue before it becomes one in the aftermath of end-to-end encryption to satisfy the other aspects of the regulations concerned with retrieving user data.

Click here for more information about the DecryptNaBox platform.

Click hereClick here for further questions or comments regarding the Zeva’s DecryptNaBox platform.