"data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay"
- Article 17 of GDPR
"controller shall communicate the personal data breach to the data subject without undue delay"
"communication to the data subject referred to in paragraph 1 shall not be required if... the controller has implemented appropriate technical and organisational protection measures... in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption"
- Article 34 of GDPR
"implement measures to mitigate those risks, such as encryption"
- Recital 83 of GDPR
According to Article 17 and Recital 65 & 66 of the General Data Protection Regulation (GDPR), "A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject." The controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
According to Article 83, the infringement of the 'Right To Be Forgotten' can lead to fines "up to 20 000 000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher".
GDPR suggests using encryption as a good practice to protect users' data and reduce the risk of data breaches.
Article 34 states that "The communication to the data subject referred to in paragraph 1 shall not be required if ... the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular, those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption ..."
In Article 32, the regulation suggests "the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymization and encryption of personal data."
Article 6 of the regulation emphasizes "the controller shall, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, take into account, inter alia: (e) the existence of appropriate safeguards, which may include encryption or pseudonymization."
This business is all about trust. Given what I know, I trust Jetico.
Bruce Schneier Leading Security Expert & Author[fa icon="quote-right"]