ENISA: Protecting Data: Can we Engineer Data Sharing?
January 2023 by ENISA
The European Union Agency for Cybersecurity (ENISA) celebrates the Data Protection Day and explores how technologies can support personal data sharing in practice.
To celebrate the European Data Protection Day on 28 January 2023, ENISA publishes today its report on how cybersecurity technologies and techniques can support the implementation of the General Data Protection Regulation (GDPR) principles when sharing personal data.
EU Agency for Cybersecurity, Executive Director, Juhan Lepassaar, said: "In an ever growing connected world, protecting shared data is essential if we want to generate trust in the digital services. We therefore need to rely on the technologies at hand to address the emerging risks and thus find the solutions to best protect the rights and freedoms of individuals across the EU."
Because data today is at the heart of our lives and central to our economy, data has been coined as the new currency. No transactions or activity can be performed online nowadays without the exchange and sharing of data. Organisations share information with partners, analytic platforms, public or other private organisations and the ecosystem of shareholders is increasing exponentially. Although we do see data being taken from devices or from organisations to be shared with external parties in order to facilitate business transactions, securing and protecting data should remain a top priority and adequate solutions implemented to this end.
The objective of the report is to show how the data protection principles inscribed in the GDPR can be applied in practice by using technological solutions relying on advanced cryptographic techniques. The report also includes an analysis of how data is dealt with when the sharing is part of another process or service. This is the case when data need to go through a secondary channel or entity before reaching the final recipient.
The report focuses on the various challenges and possible architectural solutions on intervention aspects. An example of these is the right to erasure and the right to rectification when sharing data. Targeting policy makers and data protection practitioners, the report provides an overview of the different takes on how to approach personal data sharing in an effective way.
The EU Agency for Cybersecurity has been working in the area of privacy and data protection since 2014, by analysing technical solutions for the implementation of the GDPR, privacy by design and security of personal data processing.
The work in this area falls under the provisions of the Cybersecurity Act (CSA) and is meant to support Member States on specific cybersecurity aspects of Union policy and law in relation to data protection and privacy. This work builds upon the Agency’s activities in the area of Data Protection Engineering and is produced in collaboration with the ENISA Ad Hoc Working Group on Data Protection Engineering.
The Agency has been providing guidance on data pseudonymisation solutions to data controllers and processors since 2018.