GDPR: encyption at-rest instead of data lookup tables [closed]

问题

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 12 days ago.

Improve this question

Encryption at-rest - is storing data inside your storage/database in encrypted format. During processing you need to decrypt data every time, calculate something and then encrypt everything back (encryption is managed by storage).

Does encryption at-rest resolve "right to be forgotten" issue? When you can't go with encryption at-rest and should choose data lookup tables and pseudo-anonymization?

Unlike data lookup tables, encryption at-rest is much easier to implement. It can affect your performance though, and maybe billing.

AFAIK due to GDPR, you shouldn't stop processing or remove anonymized data. In other hand, ETL jobs must have permissions to decrypt data. Means everyone who has privileges to run a job (i.e. developer, data scientist or QA) will still be able to decrypt (de-anonymize) the data with encryption key.

回答1:

If encryption is occurring at the storage layer then it does not help with the right to be forgotten. If you want to use encryption to solve the right to be forgotten challenge, then I would suggest using a unique encryption key per data subject. If a data subject needs to be forgotten, you can then delete your copy of the encryption key and you have effectively "crypto-shredded" all the data that is protected by that key. For this to work best you would need to carefully design your architecture (e.g. can you keep the key separate to the data, so that it isn't backed-up and find another way to ensure availability of current keys in a DR scenario etc).

A data lookup table is the equivalent of a tokenization service, where you're replacing a data subject's name or other details with a token. By deleting (or altering) the token in the data lookup table you have removed the ability to resolve the token back to the actual data subject. This would provide a lesser degree of assurance as to the level of "forgotten-ness" that had been achieved as you might still be able to identify a data subject indirectly through other information about them. Have a look at https://en.wikipedia.org/wiki/K-anonymity to understand this concept in-depth.

来源：https://stackoverflow.com/questions/62446488/gdpr-encyption-at-rest-instead-of-data-lookup-tables