The new regulations mainly affect private operators, as similar rules already exist for public authorities. This means that companies, associations, foundations and all other non-public actors working with data will have to establish new encryption methods.
The obligation to encrypt relates exclusively to sensitive and confidential personal data in accordance with the GDPR-defined term, which includes ethnicity, political and religious beliefs, memberships, sexuality, fingerprints, social security number and information covered by a duty of confidentiality.
A concrete assessment of whether the data in question is "sensitive and confidential" is mandatory. Thus, each case must always be considered individually. Therefore, it is recommended that companies establish a minimum standard that takes the industry and type of information within the company into account. The type of encryption and data security requirements demanded by the Data Protection Agency must be complied with. In the private sector, the so-called TLS system must be used as a minimum. This system protects the data during the transportation between sender and receiver. Please note that the strength of the security protection must correspond to the magnitude of the concrete security risk at hand.
Article provided by: Dr. Claas Thöle (NJORD Law Denmark)