Suppose we have some user's personal data, that we have to encrypt and store in a database. I've read this would technically not be a breach of personal data, since the attacker would only have unintelligible data on his hands.
Is this true to your knowledge? Supposing the data would be appropriately encrypted, would an attack not count as a breach of personal data (something we would be held accountable for?)
Encryption is a mandatory safety measure which might mitigate some risks to data subjects and could therefore influence whether a breach must be reported. It does not affect your accountability or liability.
Per Art 32, the data controller is responsible for implementing appropriate technical and organizational safety measures. What is appropriate e.g. depends on the relevant risks, the state of the art, and the cost of implementation. Certain measures are explicitly suggested, and must therefore be considered. These include:
Certain approaches like full disk encryption and transport encryption are likely to be the bare minimum in this context, assuming state of the art encryption algorithms are used. Row-level encryption might provide stronger security guarantees, but isn't necessarily appropriate. Wherever encryption is appropriate it does not afford extra protection to the data controller – instead, a lack of appropriate encryption would be a GDPR violation.
When a data breach occurs, it is necessary to notify the supervisory authority and the data subjects.
The supervisory authority must be notified without delay, and at the latest within 72 hours of becoming aware of the breach. The notification is not required if “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons”. It is possible to argue that strong encryption means that the risk is fairly low, and that the notification could therefore be skipped. However, this is a fairly risky argument to make and there are no downsides to making the notification. So even with encryption, it would be best to notify the data protection agency as a CYA measure. Regardless of whether the authority was notified, it is necessary to keep internal documentation about all such incidents.
Communication to data subjects is only required where there is a “high risk” to natural persons. Art 34(3) also lists certain conditions under which no individual notification of affected data subjects is necessary:
So it is quite possible that if you use appropriate encryption, then you might not be legally required to notify data subjects in case of a data breach.
Practical example: there is personal data on a work smartphone. The smartphone was lost on a train.
I find it more difficult to make such arguments about encryption for a database, because database servers are typically not breached directly. Instead, the application servers that connect to the database will be breached. Unless this is a backend for an E2EE application, these application servers will have access to the plaintext data. For example in the case of row-level encryption, the application server might hold the keys. But if this server is compromised, the keys would be compromised as well.
So before claiming that encryption would improve your GDPR compliance approach, it must first be determined whether such encryption is an appropriate measure in your specific context. In particular, I would expect care regarding the question how keys are managed so that they are shielded from attacks.
This answer assumes that a loss of control over encrypted data is still a personal data breach. I think that this interpretation is correct since encryption does not meet the GDPR's definition of anonymization, and since the GDPR repeatedly discusses encryption as a measure to protect personal data. This viewpoint also seems to be shared by the EDPB guidelines, such as their discussion of encryption as a supplemental measure to protect international transfers.
