GDPR compliance in the context of zero-trust/zero-access encryption: Here's what European organizatons need to know.

In a decisive move by the European Data Protection Supervisor (EDPS), it has been revealed that the European Commission's deployment of Microsoft 365 stands in violation of several critical provisions of EU data protection laws. This means that across Europe, all organizations using M365 ‘as-is’ are non-compliant and risk fines. 

Organizations, then, have two choices: they can choose to move away from the use of M365 and other non-EU cloud solutions, or they can supplement these solutions with advanced encryption technologies that prevent third party access, known as zero-acces-encryption. 

As there are currently no real EU-alternatives to M365 and Google, moving back to on-prem solutions or using email data protection supplements (as Gartners calls them) is the logical choice to fortify data privacy and compliance with EU standards.

What are the GDPR-compliance concerns relating to M365?

As a reliable enforcer of data protection laws, the EU Commission's own breach underscores the complexities and responsibilities inherent in safeguarding personal information. Many organizations are transitioning to US cloud providers without conducting the requisite Data Privacy Impact Assessment (DPIA) and Data Transfer Impact Assessment (DTIA), despite this being a mandate under the GDPR. The lack of proper contractual agreements with Microsoft, compounded by the stipulations of the US Cloud Act — which allows the US government to request data access from these vendors at any time — presents significant GDPR compliance challenges. 

Although Microsoft offers solutions like Double Key Encryption for certain services, it cannot extend this level of protection to email services. This limitation exposes all emails to potential access by the US government, a concern recently reaffirmed by a governmental Dutch research institute, highlighting the critical need for supplementary encryption solutions which ensure GDPR compliance and protect against unauthorized data access.

Zero-access encryption in the context of EU Data Privacy

Zero-access encryption is a powerful data protection method that ensures personal data is encrypted in such a way that only the sender and the recipient hold the keys to decrypt it. This means that not even the service provider has access to the encrypted data, effectively preventing unauthorized access and ensuring the privacy and security of sensitive information. 

In the wake of the EDPS's findings, zero-access encryption stands out as a pivotal technology for EU institutions and bodies to maintain the confidentiality of data transfers within and outside the EU/EEA.

Supplementing Microsoft 365 to meet GDPR compliance with advanced encryption

The imperative for EU institutions to suspend data flows to non-EU countries by December 2024, as ordered by the EDPS, underscores the necessity for the adoption of robust email data protection solutions to enhance Microsoft 365.

By incorporating zero-access encryption, organizations can maintain control over their data, ensuring that only authorized senders and recipients can access the information, thus maintaining compliance with GDPR requirements.

Zivver Secure Email and Secure File Transfer solutions are designed to integrate seamlessly as a supplement to Microsoft 365 and Google. In this way, organizations can adhere to the stringent data protection standards set by the GDPR, without complicating workflows or introducing additional processes and platforms to their tech stacks.

Zivver's technology ensures that only intended senders and recipients can access the encrypted data, a critical factor in these organizations' compliance with GDPR and their overall data protection strategy.

Gartner has named Zivver as one of four M365 Email Data Protection Supplements for three years running, a distinction that underscores its effectiveness and reliability.

Over 10,000 organizations across Europe, including 40% of all Dutch governmental organizations, have adopted Zivver's solutions as supplement to M365, Google or Exchange On Premise. This widespread adoption, particularly among governmental and public sector organizations, is largely attributed to the security afforded by zero-access encryption. 

A proactive approach to data protection

As organizations navigate the complexities of GDPR compliance, zero-access encryption technology offers a reliable and efficient means of securing data. By embracing these solutions, organizations can continue to leverage the power of Microsoft 365 while safeguarding the privacy and security of personal data, thus fulfilling their obligations under EU data protection laws.

Find out how we can support your organization in meeting your data protection responsibilities.