We are often asked the question: "Which data do I actually have to encrypt as a company?" Answering this question is not as difficult as many people think. The European Data Protection Regulation (GDPR) mainly talks about personal data. But is that all? Above all, companies should ask themselves one important question: If I only had the information in question in paper form, would I have to shred it during disposal or would it be a disadvantage if the information fell into the wrong hands? This could then be not only personal data, but also secret company data, for example. And since every company also has a competitive advantage over its competitors, there is also information worth protecting.
According to the Federal Data Protection Act, personal data is information about a personal or factual circumstances of an identifiable, living person. What exactly does that mean? Personal data is information with which a person can be uniquely identified. This information includes, for example
- Name, age, date of birth, marital status
- Address, telephone number, e-mail address
- Account or credit card information
- Identity card or social insurance number
- vehicle registration number
- criminal records
- Medical records and genetic data
The identity of the data subject can be derived directly from all this information. This can happen not only with stored data, but also with photos, videos, x-rays or tape recordings. The context in which information is used is decisive for its meaningfulness. One example: If your name is stored at the health authority, you may have been or may be suffering from a notifiable illness. In this context, entering your name becomes information.
Personal data is particularly popular with attackers. For example, you can use such information to steal identity in order to commit other crimes.
The financial and healthcare industries are subject to special regulations regarding the protection of customer and patient data as so-called professional secrets. These are clearly regulated by law, and not only by the EU-DSGVO. But even if these special regulations do not necessarily apply to all industries, companies should treat customer data with care. The data infringements of the last few months have shown that the data protection laws are not being applied: If sensitive customer data is lost, this will have a lasting effect on the company's image. And companies are recovering very slowly.
Research and development data as well as information on current products and planned product launches are always sensitive information for companies. What if the data falls into the hands of the competitor In the worst case scenario, the years of effort and financial expenses are destroyed by data theft.
Financial, transaction and salary data:
In most companies only a few employees have access to the financial data. This is not surprising, as particularly sensitive data can be viewed here. Therefore they should be protected in any case also against the access of strangers.
Conclusion: In fact, only a small part of all company data is really critical. Above you can see an exemplary analysis from a customer project. In many cases it is sufficient to encrypt between one and ten percent of the data. Performance is not affected and the customer does not even notice that an encryption gateway such as the eperi Gateway is in use.