Adventures in Data Wonderland: Why Marketers Need to Go Down the Encryption at Rest Rabbit Hole

By Andrew Jackson, Concep Director and Rory Taylor, Concep Technical Operations Director

In a GDPR world, it is worth looking at what it means for the secure storage of customer information – especially relating to the encryption of data. Sensitive information must be processed transparently, limited to the purpose for which consent was given and stored only for the amount of time for the purpose for which the data was processed. Sensitive information must be protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. 

Customer Power

GDPR now hands power to the customer. They can revoke consent at any time and request that their data is deleted. With this shift in power, professional service firms need to make a connection between what their customer base wants and what the firm can actually deliver. With recent data abuse incidents – such as Facebook and Cambridge Analytica - customers are now far more aware of how organisations use their personal data and are far more vocal thanks to social media.

Encryption at Rest

Encryption plays an important role in the safeguarding of personal data.  GDPR states when protections must be implemented but does not specify how this should be done.  One key area that professional service firms often overlook or fail to understand fully is the encryption of data ‘at rest’.

Data at rest means inactive data that is stored physically in any digital form.  Many cases of data breach are not just hackers accessing data ‘in motion’ or ‘in use’ but data ‘at rest’ that’s simply lost. While data at rest is sometimes considered to be less vulnerable than data in transit, attackers often find data at rest a more valuable target.

Professional service firms must also assess the long-term storage of sensitive customer data – that is held intentionally or unintentionally – on their hard drives.  This directly contradicts one of the key requirements of GDPR – the limited timeframe data should be kept.

Cloud Busting

One of the key areas of contention is who encrypts a firm’s data and where it is stored – especially in terms of cloud storage.   Many professional service firms are still wary of using clouds services and its supposed security concerns.  For many firms, the idea of not having your server in an ascribed physical location is worrying.  The advent of GDPR has polarised this concern – this is mirrored in a recent survey of 250 IT security professionals*.   Just over half of respondents felt GDPR data security requirements would keep them from putting sensitive data in the cloud and for majority (85%) this was due to lack of confidence in protection of sensitive data.

However, this fear of cloud computing and its effectiveness for data protection is, in fact, mostly groundless.   Like the old term - ‘throwing the baby out with the bath water’ – cloud computing is just the medium that delivers storage, services and functionality.   Its effectiveness and security is down to the individual cloud computing providers and the layers of technology they invest in and deliver to the customer.   Often, these SaaS providers invest in the latest security and encryption layers of technology.  It is more a customer’s deeply seated reluctance to hand over core and sensitive processes to an outside provider – a fear that has been exacerbated by new GDPR legislation.

Going Down the Data Rabbit Hole

Data encryption has become a hot topic.   It is different from data protection which concerns data ‘on the move’ when it is transferred between servers. Encryption of data ‘at rest’ is something that needs to be on the radar of firms thinking about their compliance and security issues. 

Surprisingly, it is tech savvy marketeers that are often the first to raise the issue of encryption of data ‘at rest’.   And they are surprised that they are the first to raise the issue!   Most understand the issue of risk compliance – but it is sometimes only flagged when auditing or changing suppliers.  In trying to explain the technical intricacies of data encryption to marketing people, we have, traditionally, shied away from its complexities.  This is to ensure that they don’t get lost going down the data rabbit hole.  However, given the raised profile of data encryption, now is the right time for tech literate marketing people to adventure into the data wonderland.

Working in Perfect Harmony

Marketing people, involved with the adoption of new email marketing systems, need to work with their risk and compliance IT teams at the start of the journey to ensure maximum success.   It is essential that both marketing and IT work together in perfect harmony.   It is important that IT is comfortable where the data is hosted and how it is protected during transit and at rest.

The marketeer needs to understand intimately what email marketing’s constituent elements are – the sort of data used for email marketing that is held on servers; where it’s located; and how, at a high level, the data is encrypted.   At this point, the IT / compliance people should be looped into the conversation and decision-making process.  They should be given enough information to help everyone make an informed choice.  What you don’t want is a scramble to make vital decisions at late stages of the procurement process.

Approved suppliers

It is important to work with approved email marketing technology providers who can competently integrate multiple technologies in a proven fashion.  If the solution company is approved and has a proven track-record, then it can navigate the internal workings of a firm far more easily and meet all the anticipated risk hurdles.

To have total peace-of-mind, you need to know that your data is being monitored 24/7 for possible security incidents were a data breach or data loss might happen.  At Concep, we continually review the security solutions we have in place.  Alongside implementing encryption of data at rest, we are also upgrading our security event monitoring.  This uses state-of-the-art intrusion detection, security incident and event management solutions that ensure client data has the highest level of protection.

(*Market research by Eperi)