Quantum LEAP '24

Join peers to learn about efficiency, growth, and platform training.

Uncategorized @

How Quantum Metric PII Data Encryption ensures GDPR compliance.

December 14, 2022 By: Hannah Middleton

A European Union General Data Protection Regulation (EU GDPR) survey found that while two-thirds of business leaders acknowledge using end-to-end encrypted email, only 9% could name at least one service used for encryption.

Lack of Personally Identifiable Information (PII) data encryption could potentially expose personal data in the event of a breach. And the failure to protect PII—the types of data that could reveal a person’s real identity—can result in hefty fines for the affected company. 

Additionally, this is a serious compliance issue because all businesses that process the data of EU customers must adhere to GDPR data privacy and security requirements. 

As such, GDPR suggests encryption algorithms as a technical solution to data security and protection. But how do digital experience analytics platforms like Quantum Metric guarantee GDPR compliant encryption and support your company in being GDPR compliant?

Understanding PII data.

The EU GDPR is a law put into effect in May 2018 that provides guidelines on data security and privacy. It applies to any business selling goods and services to EU citizens and residents, even if the seller isn’t physically located in the EU.

The EU’s GDPR defines PII personal data as any piece of information that can directly or indirectly be used to identify a natural person who is alive. It includes details such as a person’s name, physical address, date of birth, credit card details, physical features such as height and eye color, email addresses, employment valuations, and social security numbers.

It’s important to note that GDPR compliance is mandatory when a company partly or wholly processes the personal data of EU citizens electronically or manually to be part of a filing system.

Any business handling personal data for EU customers must implement appropriate measures to protect PII data to be GDPR compliant. For example, financial services, travel, retail, telecom, and gaming businesses should consider GDPR encryption.

Chapter 15 of the United Kingdom’s Company Act 2006 states that incorporated legal companies are legal persons. GDPR clarifies that although companies are considered persons, they are ‘legal persons’ and not ‘natural persons.’

This distinction is important. It means that company data isn’t personal data. GDPR further explains that data is considered personal if the identified natural person is alive. It also defines pseudonyms as personal data if the information can easily define someone.

The theft of personal data is very lucrative to hackers and extremely expensive in terms of financial, operational, and reputational loss for companies to respond to and manage. That’s why implementing encryption, and partnering with trusted software platforms that commit to encrypting data, are so important.

In one example of data privacy gone wrong, a laptop belonging to a Lifespan Health employee was stolen in 2017. The hackers accessed unencrypted health information, including patient names, prescribed medication, addresses, and medical record numbers belonging to 20,431 people.

This failure to encrypt data violated the 1996 United States Health Insurance Portability and Accountability Act (HIPAA), a federal law put in place to protect the health information of patients and health plan members. It also states that patients must be immediately informed if a data breach affects their health records.

As a result, Lifespan had to pay over $1 million for violating HIPAA.

Similarly, GDPR has costly fines when the right to privacy and the right to be forgotten is violated. Less severe data security violations cost up to €10 million (equivalent to US$10 million), or 2% of the business’s worldwide annual revenue from the previous financial year—whichever option is higher.

More severe data security violations can cost €20 million (US$20 million) or 4% of the previous year’s total world revenue.

As noted earlier, the loss of PII data can be costly. You may lose large sums of money to cyber attackers in the form of a ransom payment, as well as pay hefty fees for violations. Therefore, you should consider encrypted data as a data security and protection technique.

What is data encryption, and who needs it?

Data encryption is the process of digitally encoding information to hide its true meaning so that only authorized users can make sense of the information. Usually, information is coded with encryption keys, and only someone with the correct key can access and subsequently decrypt this information.

How data encryption protects against data breaches.

Data breaches occur when there’s a loss of control, unauthorized access, and compromise of physical or electronic data, and, as noted above, can be very costly to the affected business.

The global average data breach cost in 2022 is $4.35 million. This number includes fines, lost business, reputation damage, and the ransom cybercriminals might demand to return sensitive data. 

Fortunately, data encryption protects personal data by making the information unreadable and useless when accessed. Simply put, you stop a security breach from escalating into a data breach when you have an advanced encryption solution in place.

Data encryption is vital for all stages of a data journey and will protect data during processing, transfer, and in storage. Encryption also limits data access to any unauthorized persons within the company, reducing the chances of data breaches caused by insider misuse.

GDPR guidelines on encryption.

According to the GDPR guidelines, you can only process personal data in six instances. Any reason outside of these is illegal.

  1. The customer has given specific, unequivocal consent—for example, through opt-in to your marketing list or mailing list.
  2. You need personal data before entering into a contract. An example of this instance is Know Your Customer (KYC) in banking.
  3. You need personal data to comply with the laws of the land. For example, financial service providers must collect personal data.
  4. You need personal data to save a life.
  5. You demonstrate a legitimate reason to process personal data. The law, however, prioritizes the data subject’s rights, especially in the case of children.
  6. You need personal data for official functions or tasks that benefit or interest the public.

Moreover, once you have a legitimate reason to process personal data, you should observe these seven GDPR-approved PII data protection and accountability principles.

  1. Process data lawfully, fairly, and transparently.
  2. Data processing is limited to the purpose it’s needed for.
  3. Only collect and process the data needed for the intended purpose.
  4. Personal data must be accurate and current.
  5. PII can only be stored within the time frame of the intended purpose.
  6. PII data processing should ensure confidentiality, security, and integrity using methods such as encryption.
  7. The data controller must be liable and demonstrate GDPR compliance.

Per GDPR, encryption isn’t mandatory. However, all affected parties are required to implement organizational and technical measures to handle PII data securely. And the best way to do this is with end-to-end encryption for data in motion, and also encryption for data at rest.

Interestingly, while encryption isn’t a mandate and is left to the discretion of the data controller and processor, GDPR heavily fines data privacy violations. You should, therefore, protect your business at all costs and contract third parties that observe GDPR encryption compliance.

How Quantum Metric PII data encryption ensures GDPR compliance.

Quantum Metric is a committed partner in ensuring data encryption when processing quantified customer insights. You can rest easy knowing that all information acquired to make customer-centric product development decisions is GDPR compliant.

Quantum Metric offers GDPR-compliant encryption throughout the data’s journey and at rest. Additionally, depending on the nature and purpose of personal data, we may or may not capture such data. 

In any case, you have complete control over what data is captured, from typed text into an input field to any data displayed on any page. 

Here are the techniques we use to ensure PII data encryption at all stages.

Data Capture

We combine Rivest–Shamir–Adleman (RSA) and Advanced Encryption Standard (AES) encryption techniques to capture and protect personal data. 

PII encryption is done at the highest possible standard, using RSA 2048 to encrypt a per-page generated AES256 asymmetric keypair—the most secure AES implementation—combined with a robust RSA 2048-bit public/private key encryption and Forward Secrecy TLS session. All personal customer data on any given page is first encrypted with a unique AES key and subsequently wrapped with an additional layer of using RSA encryption. 

All PII data is thus pseudonymized during capture, using an encryption key only you, as the customer, store locally. Quantum Metric never has access to the private key at any time, by design. Only admins with access to the private key can decrypt/re-identify any user within a session replay

Do Not Capture

We automatically block any capture of sensitive PII data such as health-related data, credit card and payment card information, credit card CVV numbers, passwords, and One-Time-Pins (OTPs) on all your digital platforms.

We also implement pseudonymization, a technique recommended by GDPR, to separate and encrypt any PII data that can be used to re-identify a user. It’s important to note that pseudonymized data that can re-identify a subject is a GDPR violation.

Data in Flight

Once all data is collected and processed, we move it to a storage location where we collate everything gathered to make meaningful sense of the information. We transfer data through a Forward Secrecy TLS 1.2+ secure tunnel to ascertain PII data encryption.

A perfect Forward Secrecy SSL/TLS connection ensures data protection and security. It prevents cybercriminals from decrypting PII data from future or past sessions on your digital platform. This information is then securely stored, in an encrypted format, in Google’s secure cloud environment.

Data at Rest

PII data is furthermore encrypted using the AES256 algorithm in Google’s Cloud Platform and then stored at a Google data center near you to optimize website speed and latency.

Here, you can get a more in-depth understanding of our techniques to ensure PII data encryption, including our newest PII detection technology called AutoPII.

Use a digital experience analytics platform that ensures GDPR compliance.

A digital experience analytics platform can help your company make customer-centric decisions, but it’s important to find one that implements advanced security measures and has an effective encryption solution to protect PII data

GDPR-compliant encryption is necessary for all businesses with EU customers, even if the business is outside the EU. Any violation, such as data breaches that lead to personal data loss, is punishable by massive fines. Not only that, but a data breach can also lead to reputational damage and lost customers.

Quantum Metric is a trusted digital experience analytics platform. We only process and secure necessary data while ensuring PII data is always encrypted. Interested in learning more? Watch this Quantify This! episode where Reza Zaheri, CISO at Quantum Metric, discusses best practices for ensuring secure analytics.

Interested in Learning More?

Get a demo