Enterprises conducting business in the EU are currently analyzing the impacts and organizational changes required to comply with the General Data Protection Regulation that will, from May 2018, redesign the legal framework in privacy. The changes will substantially affect risk management processes and privacy requirements will become essential in product development and IT infrastructure design decisions. Very few have by now not heard about the deterrent penalties brought by the GDPR. As of next year, companies will not be able to sweep security breaches under the carpet and will be required to notify such events within 72 hours to their national data protection authority. The notification may need to be extended to affected customers, on an individual basis. A number of organizational, contractual and procedural measures must be taken to fulfill the obligations under this new framework, which also places significant technical requirements on the way companies handle data.
For this and other reasons, one can see why more and more commentators are stressing that encryption will soon become a must-have feature in the procurement and architecture of databases and data interchange. We are convinced that e-invoice archiving will not be any exception to this trend, and the benefits are certainly compelling. If prior to the security breach, data is rendered unintelligible by means of a reliable state-of-the-art encryption method, businesses are exempted from the obligation to individually notify data subjects. Moreover, a fine of up to 10 million euro can be imposed to any business that is deemed to have infringed its obligations under article 32(1) of the GDPR on security measures, which explicitly includes encryption among the appropriate technical measure to safeguard processing of personal data.