3

GDPR aims to set standards (and requirements) on how sensitive data should be stored. Although, I couldn't find any information on how (or if even) GDPR applies for sensitive data in a volatile state.

As an example, what if we are in the process of collecting data about users (with their consent) to store it. Although, this data goes through the machines RAM (as everything else that runs on the computer) where it could potentially be intercepted by malware therefore potentially enable leakage of sensitive information.

Is there a section in GDPR that addresses sensitive data in a volatile form or is it a potential loophole? (Mainly thinking about if the data should be encrypted while in-memory)

dben
  • 133
  • 5
  • 3
    GDPR does not set standards on how data should be stored. It only sets a standard for the *outcome*. Which means it doesn't matter if it is volatile storage or not. – schroeder Apr 28 '20 at 07:35

3 Answers3

5

The GDPR isn't just about storing sensitive data, but it's more general. In fact, it's actually about processing personal data. Here are a few interesting quotes from the GDPR that you might want to consider (emphasis added):

Article 2(1) - This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

Recital 15 - In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used.

Article 4(6) - ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis;

Article 32(1) - Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: [...]

Article 32(3) - Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.

Article 40(2) - Associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation, such as with regard to: [...] the measures to ensure security of processing referred to in Article 32;

Article 42(1) - The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. [...]

To sum up, if you process personal data in an organized way, the GDPR applies to it. An array of strings containing personal data stored in volatile RAM could be considered a "filing system", for example. The GDPR doesn't tell you any details about the security controls you should implement. However it does tell you that it all depends on the level of security appropriate to the risk, and it also tells you that you there might be certification bodies or specific codes of conduct for certain fields that will help you demonstrate compliance. In other words, if you are processing email addresses for the purpose of managing a simple student's blog, your security requirements will definitely be very simple. On the other hand, if you run a business that deals with health data, chances are you need to consult a lawyer (or more than one), and think about getting some ISO certifications for example.

Community
  • 1
reed
  • 15,398
  • 6
  • 43
  • 64
  • GDPR applies to processing of personal data (Art 2). Electronic means generally imply automated means. Processing covers a wide variety of activities, and *storage* is only one of them (Art 4(2)). Encryption must always be considered (Art 32(1)(a)), but only has to be used where appropriate. For example, RAM encryption with Intel SGX could be appropriate in some scenarios. Not sure whether the other cited stuff like codes of conduct or certifications are relevant in this context. – amon Jan 28 '21 at 07:22
2

Short answer: GDPR does not strictly require you to use encryption.

Long answer: There are no guidelines on how to see encryption in the scope of the GDPR, which really is a pity given existing confusions. However, there are some guidelines mentioning encryption. But guidelines are not something mandatory.

Although the GDPR obviously requires that organizations take the appropriate technical and organizational measures regarding the protection and security of personal data, that does not translates into encryption. Encryption of personal data is recommended, the GDPR strictly speaking does not say you must use encryption as some claim since the GDPR says what it says and only jurisprudence and instances such as supervisory authorities and the proper EU authorities have the power of interpreting and/or amending it. In specific circumstances encryption is important when considering context and risks. National supervisory authorities can also follow guidelines on implementation and take some decisions about it or make recommendations.

In case of a personal data breach and the personal data breach notification duty and other obligations, the encryption question typically will appear at some national supervisory authorities level. They in turn, recommend data controllers to have a policy in place for staff on when to use and when not to use encryption. That policy can already be established considering your exact situation so you can certainly cover encryption of volatile data if you want.

Overmind
  • 8,779
  • 3
  • 19
  • 28
2

Although, I couldn't find any information on how (or if even) GDPR applies for sensitive data in a volatile state

GDPR indicates to protect data in storage, processing and in transit.

The data in the volatile memory is(in most cases)/shall only be accessible to trusted process/ child or parent process or processes. Basically make sure process can not be hooked even for examination purpose. The sensitive data shall only be stored in mutable variable, which allows nullification of memory after use. Your data will be in clear text at some point of time while processing and its fine until and unless you have all the security patches applied and enable all memory related protection mechanism your OS provides. Next task of ours is to make sure cache does not hold on to the memory, it shall hold it for only long enough to process the sensitive data, if it is allowed to hold it for whatever reason.

Arpit Rohela
  • 573
  • 2
  • 12
  • 3
    These are good suggestions, but could you emphasise that these are all your implementation level suggestions, and non of them are directly required by the GDPR. I'll certainly +1 after that! – Esa Jokinen Apr 28 '20 at 09:38