Video-Demo-Tour

Ask us


I agree to the terms of the Privacy policy
I agree with the provisions on data protection. I agree that Protelion will process the personal data provided by me electronically for the processing of my request and contact me, according to my explicit request, for the processing of my request. I can revoke my consent at any time with effect for the future.

Your request was sent successfully.
We’ll answer you as soon as possible.

OK
EN
DE ES

Home

/
 ... / 

Resources

/
 ... / 

Blog

/
 ... / 
Personal Data Protection: Encryption

Personal Data Protection: Encryption

02.12.2025

Today, in an increasingly digitalized and connected world, the value of data for an organization — and for the owners of that data — is highly appreciated and indisputable.

Technologies such as Big Data, Knowledge Discovery in Databases, Machine Learning, and Data Mining, together with the exponential growth of personal data on networks, have created an increased need to adequately protect information over time.

The processing of large volumes of data contributes to the generation of social and economic value, provided that individuals’ rights to privacy and the protection of their personal data are respected.

Personal data is defined as any information that can be associated with one or more natural persons. A person may be identified directly or indirectly through their name, identification number, location data, employment information, among others.

The use of masking techniques, or simply the use of encryption, is a basic and fundamental element of any organization’s information security policy, as it provides strong guarantees of data confidentiality and also reduces the risk associated with processing such data.

Personal Information

According to the General Data Protection Regulation (GDPR), the processing of personal information must be formally defined, and the data must have been obtained in accordance with three fundamental principles:

  • Proportionality: establishes that only the minimum data necessary to provide a requested service should be collected, and unnecessary additional information should never be requested. Data may only be collected when it is adequate, relevant, and not excessive.
  • Purpose: the data subject must explicitly know the purpose for which their personal data is being collected.
  • Purpose: the data subject must explicitly know the purpose for which their personal data is being collected.

Therefore, data may not be processed or retained after collection for purposes other than those for which the data subject and owner has given consent.

In addition, the data subject may request the data controller to permanently delete their personal data when it is considered excessive or inappropriate, no longer necessary for the purpose for which it was collected, has been processed unlawfully, or when consent is simply withdrawn.

In this regard, all information considered sensitive should be protected, and in the case of personal data, those belonging to special categories, as defined by the General Data Protection Regulation (GDPR), including, among others:

  • Ethnic or racial origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data for the unique identification of a person
  • Health-related data
  • Data relating to a person’s sexual life or sexual orientation

When processing or intending to process the above types of data, a protection method must be used for such information. It is important to consider security at the start of each data processing activity, known as privacy by design and by default, which is also mandatory under the GDPR.

For other types of data, it is advisable to analyze and assess their risk, always ensuring that the processing of information does not seriously impact the data subjects, the organization’s business, or the privacy of competitors, among other aspects.

Privacy by Design

Those responsible for collecting personal data must provide a description of the procedures used for the collection, storage, use, circulation, and deletion of information, and describe the purpose for which it was collected.

The principle of privacy by design is addressed from an organizational approach, in which privacy measures should not be solely based on compliance with current regulations, but should respond to a predefined data protection strategy. Privacy by design is a proactive measure, anticipating potential privacy breaches before they occur.

Entities must implement safeguards for the processing of personal information throughout the entire data lifecycle. Therefore, procedures must be defined and protection mechanisms implemented from the very design of databases and information systems, among others.

In adopting this principle, it is important to perform an initial classification of data, define the techniques to be used, identify those responsible for processing, and ensure that the organization is capable of guaranteeing data protection.

Privacy by design should consider: the nature of the data, the level of risk to data subjects, the consequences arising from a breach — evaluating the damages and losses caused—the reliability of the technique applied to data processing, and the scope of the processing.

Privacy by Default

This principle is based on proportionality and data necessity. That is, considering the collection of strictly necessary data for the intended purpose and avoiding indiscriminate data collection, which increases the likelihood of compromising individuals’ privacy.

By default, entities must ensure that personal data is processed with the highest level of privacy protection and must process only the data necessary for the specific purpose of the processing.

Privacy by default takes into account, from the moment personal data is captured: the amount of data, the duration of its processing, the retention period, and the level of accessibility to the data.

Data Encryption

Although the term encryption may sometimes seem quite technical, it is very important for senior management within an organization to understand its concept and take advantage of the benefits it provides, especially when protecting personal information against unauthorized access and manipulation.

Encrypting data refers to the process by which information changes from a readable state to an unreadable or secret state, through a computer algorithm and one or more encryption keys.

When data is encrypted, it acquires a set of properties that make it far less vulnerable to unauthorized access and reduces the risk of disclosure of confidential personal information.

Applying encryption to protect absolutely all of an organization’s data is considered impractical, especially when addressing the daily operational processes required. In this sense, all data considered sensitive or of high value to the organization should be encrypted.

Once the data to be encrypted has been identified, the following must be considered:

  • That the encryption system used is not compromised; that is, at the time of use, there is no known way to break it.
  • That an appropriate and robust key management system is in place, along with proper procedures for managing cryptographic material.

When selecting an encryption method, other characteristics or required options must also be considered, such as whether encryption is used internally or to send information to a third party, computing resource consumption, cost, among others.

Regardless of the solution selected to effectively protect the confidentiality and integrity of an organization’s data, it is essential to choose a sufficiently long encryption key and select a robust algorithm with no known vulnerabilities.

If encryption is not performed correctly and personal data is exposed to unauthorized third parties, regardless of how they process such data, this would constitute a public disclosure of personal data as defined by the GDPR and would therefore be subject to sanctions by the relevant supervisory authority.

In this regard, it is crucial to devote the necessary effort and resources to choosing a sound encryption strategy that allows the organization, on the one hand, to comply with current personal data protection legislation and, on the other hand, to protect its data robustly and provide the necessary trust to its customers.

Protelions’ VPN technology uses the AES cryptographic standard with paired symmetric keys of 256-bit length to protect data. This ensures robust encryption and does not use the so-called “handshake,” which is employed in almost all virtual private networks (VPNs) that use the IPSec standard, where, prior to encrypting data, transmission devices exchange information using asymmetric keys to agree on which encryption algorithm will be used to send the data.

Back to list

Blog

Blog
Personal Data Protection (Part 2)
16.12.2025
Since the General Data Protection Regulation (GDPR) came into force in Europe, many techniques have been used by companies to effectively
Read more
Blog
Privacy vs. Security: Finding the Balance in an Increasingly Connected World
07.10.2025
From unlocking your phone with a glance to moving through an airport security gate, technology quietly collects pieces of our lives.
Read more
Blog
SNMP Security
18.10.2025
SNMP (Simple Network Management Protocol) consists of 3 essential parts
Read more