Acra and GDPR compliance

How Acra can help you comply with GDPR

Acra is an encryption tool that allows processing sensitive data with great care and secureness — namely, encrypting the data in a certain way. Acra performs encryption through Themis in Secure Cell/Seal mode (AES256 + GCM). This corresponds to the "state of the art" (as mentioned in the full text of the GDPR regulation) algorithms of symmetric encryption. Also, Acra is securely pre-configured by default and carries out extensive logging of all its actions "out of the box". Using Acra helps reaching compliance with some of the demands of the articles 32 (Security of processing) and 25 (Data protection by design and by default) of GDPR, as well as helps comply with the articles 33 and 34 (Notification of a personal data breach to the supervisory authority and Communication of a personal data breach to the data subject) of GDPR.

Security of processing

Article 32 of GDPR

Acra provides "state of the art" "security of processing" required in the article 32 of GDPR through providing data encryption and integrity check of the encrypted data.

> "Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk,..."

Also, the components of Acra allow encrypting data on the client's side, which enables secure transfer of the data in encrypted form through an untrusted channel.

Data protection by design and by default

Article 25 of GDPR

The default settings of Acra are pre-configured in the most secure way to provide that exact "secure by default" state of the system. This is enabled through the default encryption settings for the data transfer between the Acra's components and the database ( SSL and Secure Session are used).

>"In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons."

Logging, Intrusion Detection, and Notification

Articles 33 and 34 of GDPR

Acra makes the communication with the users in case of a data breach easier because the data is encrypted (see Art 34 of GDPR):

> "The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met: the controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption."

All the components of Acra are logging the requests/queries/events that take place within Acra. This provides the logs of everything that was happening in Acra in case of a security incident. Using the logs makes it easier to notify the supervisory authority and users about the exact details of a data breach (which complies with the articles 33 and 34 of GDPR). All the SQL queries to the database are logged in Acra by AcraCensor (Acra's firewall) with configurable verbosity.

Also, there is a special intrusion detection feature in Acra called " poison records". The poison records help to detect a massive data leak and perform a shutdown (or any other action specified by the administrator) of Acra's work (data encryption/decryption) if a poison record is detected in a query (which means there was a successful attempt at an unauthorized data access).

Further assistance in complying with GDPR

Need more help with providing better GDPR compliance for your product/infrastructure through using Acra? Read about our DataGuardian Assistance Program.