Encryption
The process of converting data into a coded form that can only be read by authorized parties with the correct decryption key. Encryption protects data both at rest and in transit, and is a fundamental requirement across all major compliance frameworks.
Encryption is one of the most important technical controls for protecting sensitive information. Modern encryption uses mathematical algorithms (such as AES-256 for symmetric encryption and RSA or elliptic curve cryptography for asymmetric encryption) to ensure that data cannot be read by unauthorized parties.
Compliance frameworks require encryption in two primary contexts: encryption at rest (protecting stored data on disks, databases, and backups) and encryption in transit (protecting data as it moves across networks, typically using TLS/SSL). Some regulations also address encryption in use, though this remains an emerging technology area.
For DORA and ISO 27001 compliance, organizations must implement encryption policies covering algorithm selection, key management, key rotation schedules, and key destruction procedures. GDPR specifically mentions encryption as a technical measure to protect personal data, and its use can influence the requirement to notify data subjects in case of a breach — if encrypted data is breached but the keys are secure, notification may not be required.
Related Terms
GDPR (General Data Protection Regulation)
The EU regulation governing the processing of personal data of individuals within the European Economic Area. GDPR establishes strict rules for data collection, storage, processing, and transfer, with penalties of up to 4% of annual global turnover for violations.
ISO 27001
The international standard for information security management systems (ISMS). ISO 27001 provides a systematic approach to managing sensitive company information, ensuring it remains secure through a framework of policies, processes, and technical controls.
Access Control
The selective restriction of access to resources, systems, and data based on user identity and authorization. Access control is a fundamental security control required by ISO 27001, SOC 2, DORA, and GDPR to ensure that only authorized personnel can access sensitive information.
Data Processing Agreement (DPA)
A legally binding contract between a data controller and data processor that governs the processing of personal data. Required by GDPR Article 28, a DPA specifies the scope, purpose, and duration of processing, as well as the obligations of each party.
Automate compliance with Matproof
DORA, SOC 2, ISO 27001 — get audit-ready in weeks, not months.
Request a demo