Security & GDPR
GDPR and data: a practical guide for leadership
What the GDPR requires when exploiting data, what responsibility falls on leadership and how to work with sensitive data without losing control or compliance.
Read articleKey takeaways
- Encryption in transit protects data while it travels; at rest, while stored.
- Both are necessary: protecting one and not the other leaves a gap.
- Secure key management is as important as the encryption itself.
- Encryption is a key measure for GDPR compliance (Art. 32).
- End-to-end encryption is the best-practice reference.
Encryption is one of the most effective and least understood security measures. Many executives assume "our data is encrypted" without knowing what that means or whether the protection covers the whole data lifecycle.
What it is
Encryption transforms data into a format unreadable to anyone without the decryption key. It applies at two moments of the data lifecycle, and both are necessary for complete protection.
The two modes
In transit
Data movingTLS protocols
At rest
Data storedDisks, backups
In transit
Protects data while it moves between systems — app to API, client to server, between data centres — relying on protocols like TLS. Without it, an attacker intercepting the communication could read the data in the clear.
At rest
Protects data while stored on disks, databases or backups. If someone accessed the storage or stole a medium, the data would remain unreadable without the key.
Key management
Encryption is only as strong as the protection of its keys. Secure management — storage in dedicated modules, periodic rotation, access control — is as important as the algorithm. Standards like ISO/IEC 27001 dedicate specific controls to it.
Encryption and the GDPR
The GDPR cites encryption as an appropriate technical measure to protect personal data (Article 32). Though not mandatory in every case, it reduces risk and, in a breach, can ease notification obligations if the encrypted data is unintelligible.
Strong encryption with poorly protected keys is useless: key custody matters as much as the algorithm.
In summary
Encryption makes data unreadable without the key, in transit (while travelling) and at rest (while stored) — both necessary. Secure key management is as critical as the encryption itself, and encryption is a key GDPR measure that also limits the impact of a breach.
Sources & further reading
Frequently asked questions
Is encrypting stored data enough?
No. Data in transit must also be encrypted. Protecting only one of the two moments leaves a gap through which data could be exposed.
Is encryption mandatory under the GDPR?
The GDPR cites it as an appropriate measure (Art. 32) but does not impose it in every case. It is a best practice to reduce risk and protect personal data.
What is most critical about encryption?
Key management. Strong encryption with poorly protected keys is useless, so key custody and rotation are essential.
What is the difference between in transit and at rest?
In transit protects data while moving between systems; at rest protects it while stored on disks, databases or backups.
Does encryption protect me in a breach?
It reduces the impact: if compromised data is encrypted and unintelligible, the GDPR can ease notification obligations. It limits the damage.
What is end-to-end encryption?
Encryption where data stays protected along its whole path and is only decrypted at authorised endpoints — the best-practice reference.
Turn this data into results
Tell us what you want to achieve. Data Layer connects, processes and delivers the result up and running, with no infrastructure for you to manage.