On 02/05/18 16:12, David Turner wrote: > I've heard conflicting opinions if GDPR requires data to be encrypted > at rest Encryption both in transit and at rest is part of data protection by design: it is about making sure that you have control over the data that you hold/are processing and that if you lose physical control over the storage medium (at rest) or the communication channel (in transit) that you do not also have a loss of control (a data breach). Encrypted data, whether it includes a personal data or not, is 'protected' secure data. GDPR doesn't particularly describe encryption but the ICO guidance does and in particular "Where appropriate, you should look to use measures such as pseudonymisation and encryption." We're currently working on a Ceph based Document Management System with object encryption which needs to comply with GDPR for users - and we're opting for encrypting everything! _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |