How Does SSL Fit into GDPR?

Apr 26, 2018 Tim Callan Alerts & Notices

GDPR (General Data Protection Regulation) is a broad-reaching regulation meant to protect the private data of Europeans in IT systems.  The 99-article regulation is very long and covers a broad variety of topics.  Announced in 2017, GDPR will go into effect as a requirement on May 25, 2018.  GDPR applies to any company doing business in Europe even if it is located elsewhere.  So for any business with an online presence that is available for Europeans to use - if you sell to Europe or give access to online services - you need to be GDPR compliant or potentially face massive fines.

Though it does not contain any specific section on the use of SSL certificates, GDPR has clear requirements that can only be addressed through the use of SSL certificates.  Article 32 of the regulation ("Security") begins this way:

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  1. the pseudonymisation and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

In other words, GDPR states that regulated information must be protected with "appropriate technical and organisational measures," including encryption of personal data and the ability to ensure the ongoing confidentiality of systems and services.  Digital certificates (including TLS/SSL) and encryption have been de facto requirements for all confidential communications across the open internet more more than 30 years and are among the most ubiquitous computing paradigms in place today.

So what data are affected?  The regulation includes nearly any personal data including PII (personally identifiable information), PHI (personal health information), web usage information, and a set of personal characteristics such as race, sexual orientation, and political opinion.

The good news is that from an SSL perspective GDPR aligns with well understood best practices anyway.  If you're putting all your site pages under https and using certificates to authenticate and encrypt communications between internal systems, you're meeting the GDPR requirements for that component of data protection.  And if you're not, you should be doing so anyway in order to protect your customers, protect your own business, and maximize confidence in your site.