Ensuring GDPR compliance with

end-to-end encryption
Regulation and technology overview of encryption and compliance

Tresorit Whitepaper

1
Introduction: why the GDPR matters for your business

The GDPR is a comprehensive regulation that unifies data protection in all EU countries.
It has applied directly in all EU member states since 25 May 2018.

The GDPR has a very broad territorial scope and applies to any organization that
manages the personal data of individuals who are based in the EU, regardless where the
organization is registered. Non-compliance leads to severe consequences. Fines may
amount to a maximum of EUR 20 million, or 4% of global annual turnover.

The GDPR requires organizations to implement reasonable data protection measures to

protect the personal data of consumers and employees against data loss or exposure.
To achieve that goal, the law regulates all areas related to data management and
processing, from obtaining user consent to setting up company-wide data protection
practices and handling data breach incidents. This whitepaper helps you to explore why
the GDPR highlights encryption as an important technology measure to safeguard data.
It also details how encryption, especially end-to-end encryption, helps your business
manage data in the cloud in a GDPR compliant way.

“
“The GDPR will change not only the European data protection laws
but nothing less than the world as we know it.”

Jan Philipp Albrecht, MEP, EU rapporteur on GDPR

Why encryption helps GDPR compliance

1. Encryption makes data processing in the cloud less risky. 




Cloud-based applications are convenient and useful, but they could create risks for
your data. Under the GDPR, your organization as a data controller is responsible for
protecting all personal data you manage throughout its lifecycle, from collecting to
forwarding, while managing that with cloud-based services. 



The GDPR highlights encryption as one of the appropriate technical organizational
and technical measures to ensure data protection.

§
“The controller and the processor shall implement appropriate
technical and organisational measures to ensure a level of
security appropriate to the risk, including inter alia as appropriate:
the pseudonymisation and encryption of personal data”

GDPR Article 32. Security of Processing

2
2. Encryption keeps personal data secure from third party access.

In case of a data breach or leak, encryption, and especially end-to-end encryption,

makes the re-identification of persons from the leaked datasets impossible with
reasonable efforts.

“ “Using robust end-to-end encryption to safeguard personal data is

both a responsible choice and a key step towards compliance.”

Paolo Balboni, Ph.D., Founding Partner of ICT Legal Consulting and

President of the European Privacy Association

3. End-to-end encryption wins. 


The GDPR does not specify technologies such as algorithms and their applications.
However, the way encryption keys are managed is important to decide whether the
re-identification of persons from the leaked dataset is possible or not. End-to-end
encryption with client-side key management represents a significantly stronger
protection for personal data.

At-rest, server-side encryption

With channel & at-rest encryption, the cloud provider has access to the encryption
keys and the server stores the data in an unencrypted format as well. Thus, in case
of a breach, re-identification of the persons from the leaked dataset is technically
possible.


ALICE SERVER & STORAGE BOB

110
101

110 110 110 110

101 101 101 101

End-to-end encryption

With end-to-end encryption, the cloud provider doesn’t have access to encryption
keys. The server stores the encryption keys and user contents only in an encrypted
format. This way, end-to-end encrypted cloud service providers like Tresorit can

3
 never access the contents of user files. The re-identification of persons from the
end-to-end encrypted data is infeasible, even in case of a server-side data breach.
When a breach happens, only the encrypted data leaks and no one can read the
contents. The personal data of your staff and clients is not threatened.

ALICE SERVER & STORAGE BOB

110
101

110 110 110

101 101 101

The advantages of using encryption in ensuring GDPR compliance

✓ Protect the personal data of ✓ Simplify compliance. When

employees, customers, using end-to-end encryption in
partners, and users. Increase the cloud, your personal data
trust for your service and stays within company walls,
organization by complying with even when using the cloud.
the law and using the strongest Even in case of a data breach,
data protection technology. encrypted data is not in danger.

✓ Reduce liability in case of a ✓ Save costs of data breach

breach. If you apply end-to-end notifications and potential
encryption, you are using an fines. When using encryption,
appropriate safeguard that is your organization is not obliged
recommended by the GDPR. to notify your customers or
This can reduce your liability. users on data breaches.

4
Relevant GDPR articles and how end-to-end encryption technology
helps to comply with them

GDPR Article Why end-to-end encryption Tresorit technology

helps?
Article 6. Lawful basis of processing End-to-end encryption is highlighted ✓ End-to-end encryption is done on
“The controller shall, in order to as an appropriate safeguard for the client side: no user file is ever
ascertain whether processing for protecting data. Data controllers sent to the cloud unencrypted,
another purpose is compatible with must further process data with third- encryption keys stay at the user’s
the purpose for which the personal party processors by protecting data side and never reach Tresorit
data are initially collected, take into in a compatible way with the original servers
account, inter alia: legal basis and applying safeguards ✓ Using industry standard
appropriate safeguards, which may like encryption. cryptography algorithms:
include encryption or AES-256, RSA with 4092 bit long
pseudonymisation.” keys
✓ Patented key management
technology for sharing end-to-
end encrypted content.

Article 32. Security of Processing End-to-end encryption protects ✓ See above.

“The controller and the processor personal data in the cloud from third-
shall implement appropriate technical party access. By using end-to-end
and organisational measures to encryption, the data controller will
ensure a level of security appropriate result in compliance with Article 32
to the risk, including inter alia as GDPR.
appropriate:
the pseudonymisation and
encryption of personal data”

Article 34. Communication of a If encrypted, especially end-to-end ✓ See above.

personal data breach to the data encrypted, data leaks, the re-
subject identification of persons from this Learn more about our security:
“The communication to the data dataset is infeasible. Therefore, https://tresorit.com/security
subject referred to in paragraph 1 companies don’t have to notify users.
shall not be required if any of the
following conditions are met: the
controller has implemented
appropriate technical and
organisational protection measures,
and those measures were applied to
the personal data affected by the
personal data breach, in particular
those that render the personal data
unintelligible to any person who is
not authorised to access it, such as
encryption;”

Article 25. Data protection by Organizations must develop internal ✓ Data governance features: file
design and by default data protection processes and permission control, DRM, user
“The controller shall, both at the time products with data privacy in mind group management
of the determination of the means for from the ground up. ✓ Admin Center to set company-
processing and at the time of the wide security policies (IP
processing itself, implement restrictions, disabling local sync,
appropriate technical and etc.)
organisational measures.” ✓ Tresorit ZeroKit – our SDK allows
developers to integrate our end-
to-end encryption into their own
services.

Learn more about our data control:

https://tresorit.com/business

5
What is personal data?

The GDPR only applies to personal data. Personal data is any information relating to an
identified or identifiable natural person (“data subject”). Examples: a name, an
identification number, location data, an online identifier, or factors specific to the
physical, physiological, genetic, mental, economic, cultural or social identity of that
person.

Under the GDPR, all businesses should take measures to minimize the amount of
personally identifiable information they store, and ensure that they do not store any
information for longer than necessary.



How does end-to-end encryption protect personal data?
The data controller’s end-to-end encrypted documents, such as a spreadsheet with
employee details stored with Tresorit, may contain personal data. As the data controller
has the encryption key to decrypt the files, they can re-identify the person the data
belongs to. However, from the perspective of the end-to-end encrypted data
processors like Tresorit, this spreadsheet does not contain any personal data because
Tresorit, as service provider, does not have the decryption keys to the files. Thus,
Tresorit is unable to re-identify the persons.

Is Tresorit already compliant?

Tresorit handles all user data with utmost care, and due to our end-to-end encryption,
we are technically unable to access the contents of user files. We are currently working
on finalising our ISO27001 compliance process which complements our GDPR efforts.
Tresorit as a company itself will be compliant with GDPR by the time it is applied.

Learn more at:

tresorit.com/gdpr
tresorit.com/business

This whitepaper has been prepared only for the purposes of general information. It is not legal advice, and
should not be used as legal advice. For information specifically tailored to your business situation, please
seek professional legal counsel.