GDPR enforcement: focus on data-at-rest encryption

It seems the Croatian Data Protection Agency (AZOP) is on a streak: after the record fine imposed on a debt collection agency earlier this month (2,2 mil eur), this week saw another milestone penalty (380,000 eur) for a local sports betting firm.

Apparently, the company was copying and storing banking cards and cardholders data without notifying customers, and lacking appropriate technical and organizational measures, as stipulated by the GDPR regulation.

What is new in the ruling (besides the unusually high fine) is an explicit reference to GDPR article 32, specifically the encryption of personal data at the database level (i.e. data-at-rest encryption).

Data-at-rest encryption (particularly on the database record level) for PII data is typically avoided in practice as it usually introduces complexity and failure points which many IT departments will want to avoid.

Furthermore, data is often stored in various locations and formats, accessed via diverse interfaces (from storage level to a Sharepoint-type web app), complicating things further.

It remains to be seen how this latest sentence will change the economics of introducing data-at-rest encryption more broadly into organizational environments.

The full verdict from the DPA is here (Croatian language)-