Encryption, Cloud, and the GDPR - What Is The Recipe For Survival?

7:55AM Mar 31, 2021

Speakers:

Jean-Christophe Le Toquin

Arnaud Laprêvote

Xavier Lefevre

Eric Bedell

Christophe Buschmann

Keywords:

encryption

encrypted

data

dpo

people

key

question

access

implement

solution

privacy

eric

security

risk

case

company

secure

manage

working

management

Originally concern people knew that it was well to protect data, and in fact you have very few choices, except encryption to do that in a digital environment. And so it was something you had to do, then it becomes to be integrated in different norms on now for some years. It's integrated in the lows. So, obviously, rgpd, was GDPR was really a key recommendation, where things were discussed. So if you look directly at the text of the GDPR. In fact, there are two main places where GDP, where encryption is quoted. So first one is article 32 on security of processing. So, what it says is, well, you have to use appropriate measures to ensure the level of security appropriate to the risk on corruption is quoted here in as the first solution with pseudonymisation, it's not the only solution, obviously. And the second place where encryption is quoted in the text is, In fact, in the article 54 Where, which, as to which concerns the communication of a personal data breach is a data subject, so on, it says, Well, if there was a data breach, but informations, the data that were leaked are encrypted, and there's no way for the attacker to access the data, then you don't need to provide this information so clear. Also, encryption is coated. And in fact, if you look at the different flows. So there is GDPR riders. He does. Now there's also a privacy, and an is on the in fact there are many many loads that are integrating on corruption as requirements, is there, and it's something which is which is clearly increasing more and more. So I'm sure that Xavier is going to explain that, from, from his point of view. So, please. So that was GDPR so that he so found smacked just explain us what you are doing.

Good morning everyone. So Farrin smart is a SAS software provider, and our solutions are designed to take care of all the visible aspects of GDPR compliance for our customers. What do I call visible aspects, it's the aspects of GDPR compliance which imply an interaction with the end user. It's what we call privacy UX it's mainly three things consent and preference management GDPR rights request management, and personal data transfers or acquisition. So our solutions are labeled privacy tech afternoon certification also mentioned in Gartner's market guide, and in Luxembourg and Belgium, they are distributed by luxtrust which is our exclusive reseller. Now, next please know, why did we choose encryption and why did we implement encryption into our solutions. Firstly charges but consents are personal data, and they must be 3d managed. As such, and a content management platform must handle all use cases. One of the main objective of implementing a content management platform is to build a single source of truth, which will enable the data controller to know, am I allowed on are not allowed to run such a process on this data for that person, etc. It means that you must be able to handle all use cases, including the one which may imply special categories of personal data, like health data, etc. It means that security measures appropriate security measures must be implemented. And we will look he also since we incorporated Farren smart in 2016 and GDPR was already known, even if it only came into force in 2018. We knew it, and privacy by design was already set rule. So we try to take it into account and implemented the best we could. And last but not least, there's a strong market trend towards privacy and encryption broadly speaking. So, at that time, we decided to implement encryption because it makes us different from our competitors, and also we anticipated that the level of security requirements would only rise in the coming years. And what is important in whether encryption, it's that you if you want to implement encryption it's really difficult to implement it afterwards and end to end encryption in particular, so it was really important right at the beginning, to have that in mind. And to take it into account. We act as data processors for our customers, which are data controllers, and most of them are huge, big companies with SIBO, etc and security policies, So it wasn't so important for us to really take into account this. This security policies that were already in place. Next, download, please.

So what was our issues and what are the issues regarding content management, broadly speaking, first of all, we have some functional requirements, it's, it's to secure of course consent receipt and isolate the data of one of our customers from, of course, the data of other controller, and have a traceability of access and end to end encryption, helps us do that. It also makes it impossible for us to access the data, it means that as a data processor, we only store encrypted data, we have no access to the keys. This is why we obviously cannot access the data and end to end encryption, thus raises security, and minimizes risk, both for our customers data controllers, but also for us as a data processor. And since, like any data processor we of course subscribe to our cyber insurance, etc, while being able to show that we really implemented, state of the art security measures is a very important aspect. But then, when decryption is pretty complicated, and we were not experts at that time. This is why we chose carefully, our end to end encryption provider, and what was important for us was the ease of implementation of such encryption process, and also of course, the support of the team and and this is what we found in the expertise of EPO, And, of course, there are financial issues like any software providers. The cost of implementation of encryption. Add to be affordable for us and don't put us out of the market, and this is probably what make us make that choice, it's that end to end encryption is affordable now. It is not expensive. So, I mean it might be difficult in the in the near the near future, for any data controller to say that he did that implementing friction because it was too expensive, because this is, this is not true. So this is also one of the reason why we said well let's, let's do it.

Thank you.

I know I know you're Yes,

yes. So I thank you for that on on so we partnered with with John smarthome on the we providing them over core technology of encryption for web application on the bail that net is a cryptographic web software in detail. And we have two products. The first one is QuickTime driver, which is an end to end, encrypted drive on data rules. And the second one is the core technology we used to have, end to end encryption with encrypt and Graham crypt and drive, which is the SDK liquid. So, these are our core. Core really values. And when we tried to provide that said in encryption Europe, as they are many software cryptographic software edito, and we are all on basically working on this kind of constraints for our customers, it is curious that we have different use cases on different functions and on on kind of software. So, to come back later on encryption, so you have basically two types of encryption symmetric one on the asymmetric one symmetric encryption means that you have the same encryption key to create them decrypt your content as symmetric one means, you have two keys one to create on it is we say, is a public key of a user on one to decrypt the private key of the user. Mostly most of the time, in fact you are using mixed encryption, which is basically you your content will be encrypted with a symmetric key on, you will use an asymmetric key to encrypt the symmetric key so significantly. The reason why is that, first it avoid that or duplication you encrypt your content once with one is content key, and for each person that need to access this content, discontent, you're incorrect, only the key. That's the first thing it allows to have a very fine grain access management on your content. And the third thing is that there is a performance issue as symmetric encryption is around 100 times slower than symmetric encryption. So when you need to encrypt, megabytes or of contents, or, or kilobytes or gigabytes. Well, you need to have something which is a fairly speedy. So that's the reason why mixed encryption is so used. So if you look at the architecture for web application you have something like that, but just the rage, you have an application server with whatever language she wants, on most of the time you ever from thing. And then you have your web browser set will be used to access the application. So if you look at the different threads in fact you have Fred's basically everywhere, it may be, if your attacker has access to the storage. Well, if it is not encrypted, he can access the data. If he can access to the app server when he can grab the data when they are going through, or it can do the same thing on the front end. Obviously, if you have an attacker that is on the channel. You can also grab it, grab the data, or have your sleeve on the desktop. So if you look at this schematic what you see is that you have interest to increase, as soon as possible. Because, obviously, you will lower the risk.

If you encrypt at this level or at the storage level at server level or even at the front end level but you will have at least one problem which is if an attacker has access to the platform. Well, well, where the application is running, you can access the data on it is also, It's a case for the system administrator. So really, I think that's the key question you have to ask yourself when looking at such a system, does the system administrator, or does a system administrator has access to the content. If the answer is no. Okay, it's good. If the answer is yes, then you have a problem, I think. So, what we do with, end to end encryption is basically to put the encryption directly directory ads in the web browser biser web browser, before the content is sent to any server. So, it doesn't mean that you have no risk. It's very obvious that if an attacker has access to your list of, well, he has access to your data. So, but what it does, you will only be he will only have access to your data. Another data to be of the other persons that are using the same application. And here you have to take care of the integrity of basically the JavaScript libraries that you are using on on sending to your, to the web browser. So, that's where you have to be careful. So, so the cookies here it's just a JavaScript library and all cryptographic operations are though No, basically, at the end. So, in the web browser on your desktop. So, encryption, okay. It's not so easy. But the real problem is in such a system is the key management, and you have to be very careful on that because the person or the persons that have the keys, or that have access is the key can say basically the they have access to your data. So it is, especially touchy adzuki distribution of key creation level. And what does happen, when the result, kilos. If you are an organization. Well, when somebody loses his key, you have to do something. So criteria you have to look at is this key management is local, or centralized local for issues, or centralized. Is it hardware or software solution, is it more something personal, or is it more at the organization levels on the different functions that you can have the technical solutions that you are seeing today is a ppi, meaning that you are going to centralize access central place that will guarantee that at least the public keys or each user's the integrity of the public key of each user's. I'm also the web of trust. web of trust is a contrary. Each person is going to create a trust at each level on you are going to use this chain of trust, to know that it's a key of somebody is a good one. We try to have in the day all that net very intermediates approach to this problem. What we do basically is web of trust, but we use a digital escrow, to put each content key on the escrow on when you need to release the key. You have a nicer quorum based system, which is highly secure and that allows us to separate the authorization of access from the access, which guarantees that a single person acts as never the rights to access alone, anything. So, what we see today concerning the cloud is an architecture of this kind.

So, you have the storage on what you read in store is basically encrypted. Okay, so it may be in a cloud provider. At the same time, you need to have a key management server in one way or another. And the desktop will access visit different elements on the application is going to run basically on the desktop on your browser. But at the same time you need to have processing. So the processing is basically a program that will run on your data, but that needs to access the data, as long as you don't do OMA morphic encryption, you need to decrypt the data, to do the processing. So the key thing here is that, to do the processing data are decrypted. And then you must be very cautious where you put that, basically, if you look at the nice white book on the cloud, act of exact list, you will see that the Anglo companies that are not subject to cloud up are the providers that are not established in the US, and that have no link, or whatever, with the US, meaning that in all other case, an administration in the USA, for example, can ask to access the data to the provider. So, this cloud provider if you put that in the cloud. You can put it in your own IT infrastructure. This has to be very carefully managed that well okay you can do not whatever you want because, especially key management must also be very carefully managed. But, on the team should be encrypted, as soon as possible. But, Besides, okay, you can use whatever cloud provider you want. So that's where my, my, to my tips on the subject, central central.

Thank you, thank you I don't know. So now that we had the initial presentation on on how, exactly, and Arnolfo and Ferens not make the management of consents. Easy for for for the companies. And, and, and secure. We are now going to listen to the perception or perspective from from two people from one professional who is Eric Biddle, CPO of Franklin Templeton, and from a case of Bushman commissioner at the privacy regulator of Luxembourg and so of course we're not asking, Eric and his stuff to commence on on the specific solution provided or delivered by on Wednesday but more on the either question of okay why us encryption. In the words of his staff, when we prepare this meeting, he said, actually the real question is why not using encryption so first of all I would like to hand over to Eric to Eric Bedell So Eric is I think a great example of an IT security professional who over his career, broaden his scope, and to become a DPO I mean frequently appeals have a legal background, and then they it's kind of natural extension to the role of DPO which is still a very recent type of profession, and Eric is coming from the technical, technical backgrounds, and, and he has been awarded the Battle of DPO Of The Year of Luxembourg, last year, and one of the questions, We'll ask him how much this has changed his life. But for the time being, Eric, what we would like to hear from you. I think it's because there are a number of GPOs on this with us today, and privacy professionals. And so the question from your perspective is okay, I mean for you. How much encryption in matches, and, and how do you make the decision to to support a solution which is encrypted or not. So what is the process and what are the benefits that you see in in selecting solution which have a component which is encrypted so you really put from you today is how it works in practical terms in your day to day work.

Thank you. Good stuff, good morning everyone. So yeah, just quickly to your question, it has changed a lot my life because now I'm talking with so many new people my network has broadened a lot of time looking at many conferences so that's really what changed, I mean my daily job has not really changed a lot with this title but anyway I'm really grateful to AC data, thanks. All right, so speaking quickly about the DPO hole and expectations from a DPO. So what you have to do is really look at the risks, it's all based on risk. So, what it means is you need to use a impact and it is like DPI A's you need to do some sort of privacy by design reviews you need to have your record of processing activities, and you need to look at all the hits that are arising from that. This is also you need to apply that to the scope of that you need to manage that your company needs to manage in a way. So for example, you do have some very sensitive information some non sensitive information but you need to link them compared to what you are doing with them, like, give you a concrete example, if you do have a list of emails from, from people participating into your marketing campaign that's not the same as getting a list of email addresses of people participating into conferences around LGBT LGBT topics you know because the sensitivity is different about using the email addresses for. So, this is one part of the scope, the other part of the scope is really where your data is like, is it internally in the company is it in scope in the cloud. Is it in the scope of your process or is it something that you do with an additional controller for example. So, you need to mind the scope and look at all the data and look at all the risk arising from those data in order to make sure that this is done mitigated properly, you have different kind of tools that you could use and this is really how the DPS, while most of the DPS are doing it, like they consider encryption as being one of the tools that can be supplied to mitigate the risk arising from what I said before, so you do have, for example the person in mediation, you have the anonymization, but all of that are part of a complete set of tools that you can use. And again, depending on the case, you may choose one or the other, I think, encryption is really good because it is one, I would not say easy way because I don't know if it's gonna be easy for everyone, and even more for it as you said before a DPO is coming from the, we have a legal background, I mean it's very technical, so it's really difficult to understand, but as a tool in itself, it's really good to think about it and say, Okay, I do have a lot of risks to transfer that that will cloud platform, and the only way for me to use a very good tool, because, again, Cloud is quite good, and it's accessible everywhere. It's really easy to use, but your data is in danger when it's on the cloud so then you need to think about, hey, what can I do to do it better and maybe encryption is maybe the best way to, to mitigate that kind of risk using a cloud platform. However there are some discussions as well when you talk with the IT systems and the IT teams that yeah okay but if I encrypt too much it's going to be difficult to manage, or my data is going to be difficult to manage like it's going to be difficult to backup sometime it's going to be difficult to restore as well it could be difficult to share with all the people that needs to get the view on the data. So, it there are some some downside to it so again I will just refer back to what I said at the beginning you need to think about you is what is the residual risk, and how can you mitigate it using the right tool and encryption may be one of those tools so that means you cannot. Well you don't want to use it everywhere but at the same time you want to use it where it needs to be used and you really want to consider it.

And thank you, again, I would like a follow up question on this, which is the key, maybe a key message from, from our note was that actually the real issue is maybe not encryption versus not encryption, but rather do well the management of the keys and, And one thing we, we also force, I mean see are the benefits of the encryption is and rather maybe from the encryption key management is the traceability of how people access, or can access encrypted information is this something that plays a role in when you when we assess new solutions and you look at the the the integration of encryption into these solutions I mean, how do you, we have been put put the focus or value the, the, the possibility to trace access of people to the data.

So maybe to your first question, I mean, it's it's really crucial when you again when you have a DPO usually you're not looking at all the technical aspects that are related to encryption like, usually you do overseas or you have an IT team that knows about how to deal with it. But what is really important to say is the easiest is to use, the better the tool will be used, you know, so if as a DPO you are advising the company to use an encryption. It needs to be easy to do and again if it's on the cloud platform if it's on a software as a service. Software as a service or service as a wild cloud platform and and so on. You want to make sure that this one is maybe already for seeing encryption capabilities, like it's the, the privacy by design so if you select a vendor or if you select a specific system. You want to make sure that this system is able to accommodate everything that is required by GDPR including encryption optimization, replying to requests, and so on and so on. So I think this is key to have a system that is working pretty well and easy to implement, to the second question. Responsibility is very important so who is getting access to my data is really central kind of discussions because of course that's another part of the mitigation I was talking before, if the risk says hey, this data cannot leave Europe, you need to make sure that data is not leaving Europe, and if you are a global company, it's really difficult to understand who is having access to your data, should there be someone for example, maintaining the systems based in India, or the system admin is based in India. Does he have access to your database or just to the system that is holding the database, you know, and this is where encryption can be very useful for as well because you just, you're just sure by managing the keys properly, that just the right people are having access, at least, everything that has been declared, or every people that has been declared as having access are really having access to it and no more people are getting access to it. So that's another way to use it, of course, yeah. Yeah, and

that the web people like us, as we discussed have been preparing this call, I mean, if people encrypt the data but then you just have one sysadmin guy who has the one key that's a help you have the to have access to everything and encrypt everything then it's not really super secure and that's a segue to this stuff so, who is the Commissioner, as I said, of the Luxembourg regulator and, Again, very interesting. Korea with with Christoph because first of you. You had also you're coming from the technical background, and you have been working for a global consulting company for many many years and then you actually switch to the other side I mean you you spent a good deal of your career to to help your clients, we navigate I mean the fears about the regulator now you are now the commissioner that everybody now is, is terrified because you know everything from the inside. So, what I mean how would you see the the the growing interest for for encryption and do you see that, I mean we encrypt today differently from, I mean 10 years ago that's one of the questions we have. And so when you will see solutions in degrading I mean encryption so how, how do you see it, especially in terms of compliance with with GDPR. Yeah.

Well,

first of all, I don't think it's it's a question of two sides. For all those who might be scared. I think that that's a justified reason because I don't see this as a conflict between two sides which needs to fight one each other. And, but to get back to your question in regards of of encryption, I would say, I take maybe a bit, a broader view on the topic, because if I look at a GDPR, which is my, my main topic, what is GDPR about GDPR, it's about governance, it's about delivering on the promise on getting people back control over their data why on this promise, obviously you can only deliver. If on the other side, you know, that the one who, who is in charge of this data has himself to control over the data. So to GDPR, it's about governance, it's about risk management and how to handle data. Now, this being said, if I look at encryption. I do see more advantages and they have already been managed and just protecting confidentiality. I see it, also and and in a very important way. Also, as a means, as a preventive control on who has access to what and how can we make sure that this control is working effectively. If you have a look at at large organizations he they are, they are working on the day to day basis with huge amounts of data. With hundreds of processes and hundreds of services that they deliver every day. Now, one key challenge when it comes to government managing governance at such an organization it's to be sure to control who is doing what, with what. And to be sure that they told you everything. Now, obviously, if you have put encryption in place, not only as a measure to avoid loss in confidentiality in case of a disaster but also to be sure that only those who have legitimate rights to access data get to key to access this data you have a huge advantage, because your control is preventive, so you don't have to chase people to find out what they are doing, but you can have this proactive road and make sure that nothing happens, which should not happen, this, this is one, one very important thing. Now, if you look at GDPR I think article 32 has been mentioned at the very beginning of encryption, and also some some other techniques have indeed been explicitly mentioned in GDPR and GDPR it's accountability based, so we should reason from the other side so everybody should be in a position to be comfortable, to explain why he did not consider those explicitly mentioned security measures in article 32 I think that's the more prudent approach. Now, you could say well I did not think of any reason why I should use it but accountability is someone points you out specific techniques. At least think about why you could not do it, so So that's that's one one key point I would like to make. The other one is that GDPR. I mean it's it's a legal text so it would not change will not change every year. But it's dynamic in its application, meaning that article 32 explicitly explicitly states also that, that the level of the number and the level of measures that you put in place needs to take into account the state of art, and the cost of implementation. And those two elements, they do change quite quite a lot. And as those two elements change, I think your assessment on what is appropriate needs to be adapted as well. It has been mentioned that the pure cost of implementing encryption, it's not a valid excuse not to do it, I tend to agree. Now, there has been an evolution on this as well over time, I would say, 10 years ago, cost of encryption was different than today. So please don't forget to take this dynamics into into account when you, when you do your assessment because we as a regulator, obviously, we take them into account when we fix our level of expectation when we, when we do investigations.

So, this being said, I think there's not so much negative things you could say about encryption. However, I mean, in particular, if you have to deal with, with many problems and the technical ones are just some part of the problems you have to deal with on your daily, daily basis and I think Eric mentioned it, DPS do have many, many other topics which are not technical of nature to deal with. Please keep in mind that encryption it's it's one part of the solution, but it's not the ultimate solution which which which comes for free and you say, Well today I encrypted everything in my organization and for the next five years. Nothing bad can happen. No, I think it's, it's a good tool, as Eric mentioned, which can help you address some risks, it comes with other risks, which, which is very often the case in risk management that one mitigating measure creates other risks in this case, a key management. It's obviously the next step that you need to deal with to make sure that, first of all, the solution is effective and secondly, it doesn't create risks which you hadn't in the first place. I would add, at the third element, please don't forget to make surveillance of the security of the algorithms the technologies that you use because we know that, by definition, encryption is it's working on permanent strife on one against the other on who can break what at what point in time, so don't miss the point in time where maybe you need to adapt. But that is being said, I think it's definitely a technology which, which adds a lot of value, now and in the last sentence, and I say this now in very general terms and, I mean, I was consultant before you mentioned it. Please be aware of the fact that new technology, it's all always marketed and sometimes marketed, maybe a bit excessively aggressively. In particular when it comes to passwords, and, and, unfortunately, it's very often the case for very technical topics that people would like to, to leverage on the fact that the one who, who could buy it doesn't understand what the technology is below. If someone just tells you. I said you encryption, please sign here, and I would apply professional judgment because probably he did not do the due diligence to be able to claim that he effectively managed to encrypt the data.

Thank you. Okay, so that's a very good point, actually just for the people who don't know exactly how we work as instrument Europe so in order to become a member while you have to be SME and SME and and provide service in this field, but there is a peer review, and we ask you to have also participation of the technical leads of the company so I can tell you that when we have been difficult to assess even for ourselves. I mean how much the solution is encrypted, but this, this peer review has kind of a chilling effect on the applications and I've seen a few companies that were wanting to apply and it's okay, good, I mean we are going to just have to join them they will you will be assessed by your peers, and that sometimes I've never heard of people again so. So it seems that the system works and also caps are used to be acting as a community. One thing I would like to hear from Ave, and then from Eric, which is also the point just before the one you mentioned on the bed word was indeed a reality, and people have been talking about encryption is not enough. At the fact that on the, on the positive side we are in a dynamic situation, meaning the cost of implementing encryption gets down, of course you have to be careful of the way you manage keys which is not really an issue in our case today with smart because this is just between fair and smart and and Yubico so that make it very easy for for for for the end users. But nevertheless, there is this issue of security of algorithms and and risk associated with algorithm being compromised. How do you really deal with this ongoing threat and how do you mitigate it.

Well, that's a hard question, but, but, but, since there are too few elements. First of all, well, obviously you have different strategies, concerning that. The base strategy is basically an encryption algorithm, were normalized. So you can on the normalization process was not. It was a competition. So if you consider symmetric encryption for example, so I Yes. Was it is a Belgian algorithm, but it was adopted as a standout for, for, I think, US companies and especially banks on insurance after normalization by your NISD so on it's also the case for a result ECDSA or ELGamal was also was also a normalized. So that's the first strategy you can use that. So, second one is, you can rely on efficient on the. I value research centers on researchers. So, today, researchers are starting to use what is called formal techniques to evaluate the value of algorism, especially the transmission of information on these kind of things. So we used. We benefited from that in our escrow system, because it is based on on formal research that were made on digital voting. So by your interference analyze. So that's the second strategy on after that. The reason I would say the standout monitoring or two of what is going on the peer review. Also, tests, external pentesting these kind of things that we do to ensure the quality of work.

Thank you. Thank you. I know that there was a question on the, on the chatter we'll let you read it, and I've asked for for some clarification. I would like to ask question to Eric, while others may also ask question which is this this dynamic evolution of encryption and so you have a long standing career in security. How do you see the importance of encryption, growing for the work and IT security, I mean, do you see that, indeed, much easier today than 15 years ago do you see there was a kind of political momentum so people really now or more interested we had this massive adoption of end to end encrypted messaging applications right in the past in the past two years. So how, from really kind of a security professional, how do you see the evolution and perception on encryption and how it is today implemented so

compared to

20 years ago. Yeah,

so maybe what I can say is that I've seen a huge shift into the solution offered by by vendors and suppliers so before you had to manage the solution yourself like say you had to take the solution and just decide if you want to encrypt it or not like you had for example, no haikal database where your product was running on, and you had to decide yourself if you want it to encrypt this database, or not and what part of the database should be encrypted or not. This shifted a bit now to more packaged services if I can say for example you are taking a new human resources management tool which is workday, that is on the cloud software platform. And then this one is offering encryption, I mean that's an additional price of course but it's just like, by default encrypted. Of course it's, it is raising the questions of keys that we mentioned before, and I will not go back to that again and see who is having access to it and not, but I think you see more bundling up from the vendor side of the business. So I would say we see a greater adoption. Even if I believe people are not really aware that they are using encrypted methodologies, I know for example that a lot of companies using WhatsApp and WhatsApp is by default encrypted but they don't know it, you know, so I think if you think about it, companies are adopting encryption, but in a transparent kind of manner at the end.

And that's that's makes me think about the question to observe you because your your and your company, you're the one really engaging with the CEOs and the DPO so you have to tell them look, this is what I'm doing this is how I'm helping to secure your data of your company, and this is why we, we use encryption and you made a decision very early to implement encryption into into your service so you and you have been, I mean, providing your service company four years ago, or even five years now. How did you see a change in the way people respond to the fact that you have implemented encryption into your service versus other companies who did not mean do you see really this as a game changer now or more today than five years ago. What has been your your your journey with with encryption. Well,

clearly that things are evolving. But there's a as far as I've seen that there is really a market trend towards more security more privacy and more encryption at the end, because again encryption now is far more affordable than it used to be. Some years ago, so of course encryption is not the only security measure or the only security tool that has to be implemented, but it is one of them, and it is very efficient at the end. So, as a data processor. We run processing activities on behalf of our customers, but our customers need to demonstrate their compliance, they need to demonstrate that they take the appropriate security measures, etc. And we are here to help. Basically, and we have to make them feel confident with the processing activities that we run for them. And this is the reason why, in my humble opinion, the, the highest level of security is better than the medium or lowest one, as long as you remain competitive on a financial point of view. This is it, and we, we've seen it if you can choose between two equivalent services. One is secure, one is not, but they are both at the same price. We will definitely opt for the secure one.

Right. Thank you. Thank you, was over a year so we are getting close to the to the end I will have an announcement for the next session. Next month, but before I do this I conclude, I think the question from from wisdom would be a good fit for Eric, because it's, I mean his suggestions are okay, Why don't we actually always choose for the most secure type of solution which has everything like included so that's maybe a question you ask yourself every day. So what's your what's your take on this Eric.

So I would say, first you need to think about the risk, and again I'm referring to that again because it depends what you want to secure. If you want to secure the least of coffee vendor or coffee machine vendors, you know, I don't really know if it needs to be encrypted at the time because it's just a loss of time and money and effort at the end. So, if you do your risk assessment properly, you should put everything that is required to mitigate the risk to the places where it's really meaningful to put the the effort and money and value in, you know, so you already want to protect what is really risky in your company and not protect the world company, and also I must say that the perimeter of the company has really drastically changed in recent years, you know we have, we have talked about cloud already we have talked about outsourcing controller controller controller processing agreement controller processor agreements, you know, this change a lot of things because the data that you want to secure is not just on your basis, it's not just in your data storage, you know, you also need to rely on some other people, we need to transfer that to some other people. So the payment has already changed so it's pretty important to think about it in a way, what is the most risky is it to have the data stored in a file cabinet, or in a safe, printed and in the safe, or is it something that you want to transfer, like, to the other side of the globe through five or six different processes. Well, maybe that this is where you need to select exactly as we don't say at all the state of the art security misery, you can. So, again, GDPR is like that, but there are many other regulations and laws that are seeing the same it's based on your risk assessment, it's always based so as a DPO you need to decide where to put the priorities of course in the ideal world, we will be all protected for everything, but again consider that, exactly as Christoph said before, when you put something to mitigate the risk it comes with his very often, so that's not as easy as that.

kinky stuff I would like to give you the actually actually the last word so because it's where we're lucky to have you and the regulator in this discussion. So, like your conclusion on this I mean do you support a co with Eric says and then I will I will conclude.

Yeah, I

mean, I mean it's it's absolutely true, I mean it's it's at the end of the day, about risk management and it's about managing risks in the right way. Maybe just one element that I would like to add is that we should, I think, making my no BB conscious, we call it like this, that, and there's a huge difference between adding encryption on an existing process or infrastructure, organization, or thinking about encryption. Since the start when setting up new processes I think today. It is not acceptable that you don't think about encryption for everything new that you set up that I honestly, I could not think about one single excuse why not to have a serious thought about this, at that point in time. Now when it comes obviously to making evolution of the existing landscape. The question is a bit more tricky. But, and, and I think excuse not to encrypt, it's always present, because to some extent, it's easier to find reasons why not to do something than to do it. Now I would like to stress out that if you stay for too long in such a position, you miss the moment where the benchmark overpassed the level that you need to encrypt and you need to act in a hurry and you will have higher costs than if you take the opportunity now that maybe for some elements where it would not be strictly considered obligatory, you take the time that you still have to move and and I think that would be my recommendation if I could call it like this, at this point in time for new things please, it's an obligation to have thought about it, but for existing things, don't wait for too long. It's it will not necessarily be easy but it would not be accepted in a couple of years, and not to have a plan to move towards something equivalent.

Thank you, I mean Thank you Crystal for this very strong and clear words and it's a perfect segue to the, to the next session, which will be on 29th of April same time also online you can see the text on the encryption Europe website. We will talk about legal interceptions of communications and the inextricable issue of backdoors in encryption and I think some people actually argue that well, baby's not such a great idea to, to implement encryption on existing and new services and we will discuss this with Timoteo Hibu who is the founder of seal they're a member of Allianz we have participants from often and from the head of circle, the set of security made in Oulu and its session will be moderated by Gregory from from McAfee Europe so my colleague, and so that's will be in a month from now, and so we'll discuss the other side. And that's going to be quite an interesting session as well. Thank you very much for this very enriched session and thank you. Well, I don't know when exactly to introduce us to what you're doing and and a big, big thank you to Eric and Fisto for a big acceptance to regain your perspective, your broader perspective as a CPU on the regulator. I think this helps us really giving the very transparent and honest picture on the need of encryption in our solutions. So thank you for this, and see you next month.