The amount of personal data used by an organization can be difficult to quantify, but it’s safe to say that it is significant and will continue to grow — think customer data, employee data, applicant data, etc.
The organization, as the ultimate controller of confidential employee and customer information, is responsible for protecting that data whether it is stored in house or in the cloud.
Data Encryption in SAP SuccessFactors
Data encryption converts clear text into scrambled, unintelligible, cipher-text using non-readable mathematical calculations and algorithms. Restoring the text requires a corresponding decryption algorithm and the original encryption key. By default, SAP SuccessFactors solutions protect data using Transport Layer Security (TLS) 1.2 256 bit encryption for data in-transit and Advanced Encryption Standard (AES)-256 bit encryption for data at rest. If you are not deeply familiar with data security, you may just glaze over when you read or hear terms like “TLS protocol,” “AES,” and “256-bit encryption.” So what are they?
The TLS protocol creates a secure, authenticated communications channel between sender and receiver, allowing client/server applications to communicate securely – without eavesdropping, tampering, or message forgery. AES is a method of encrypting raw information — usually human readable — into something that cannot be read. The most important thing to know about 256-bit encryption is that it is very secure. The 256 number refers to the length of the encryption key used to encrypt the data. It would require 2256 different combinations to break a 256-bit encrypted message. To put that into perspective, 232 is about 4.3 billion combinations, so you can only imagine how many billions and billions of combinations are in 2256.
Encryption and the General Data Protection Regulation
Can encryption and pseudonymization help organizations meet the GDPR’s data security requirements? GDPR stipulates that both controllers (the entity that determines how the data will be used) and processors (the entity that processes the data) must implement appropriate technical and organizational protection measures to secure personal data. According to its Article 32, controllers and processors can use pseudonymization and encryption to help meet the GDPR’s data security requirements.
As an example, GDPR mandates that authorities be notified of a data breach within 72 hours after becoming aware that a security breach destroyed, altered, or made personal data readable by unauthorized individuals (see also Articles 4 (12), 33 GDPR). If breached data is adequately encrypted or pseudonymized to make the personal data unrecognizable, notification may not be required as the breach is unlikely to result in a risk to data privacy rights of the individuals concerned. Using encryption or pseudonymization may limit the scope of data that falls under breach notification rules, thus reducing remediation costs, fines, and damage to reputation.
What’s the Take Away?
Encryption is vital to protecting personal data. SAP SuccessFactors solutions are delivered with strong, built-in 256-bit encryption for data in transit and at rest.
Applying the right data protection methods is important not only for protecting personal data but also for reducing exposure to breach notification provisions. Encryption is therefore an important part of an organization’s strategy for minimizing the risk of personal data leaks and helping meet data protection obligations.
Learn more about how SAP SuccessFactors can help you prepare for the General Data Protection Regulation here.
Kim Lessley is director of Solution Management for Cloud Security at SAP SuccessFactors.