Requirements
What the regulation expects
Customer-controlled keys under GDPR
Art. 32 measures should be effective—not only “encrypted” labels in a vendor console.
Integrity and confidentiality of processing
You must protect personal data against unlawful processing, accident, and breach. Strong encryption reduces impact; controlling keys reduces who can bypass that protection.
Data transfers and supplementary measures
After Schrems II, technical supplementary measures often include encryption where keys are not available to non-adequate recipients. External key stores and split-key models support that story—subject to your legal analysis.
Breach notification and accountability
If data is encrypted with state-of-the-art algorithms and keys were not compromised, impact assessments change. Key custody under your SOC/ISO programme supports consistent documentation.
Solutions
Relevant DuoKey products
Apply consistent access rules, auditing integrations, and approved cryptographic backends.
Learn morePrevent the US cloud operator from being the sole custodian of keys that protect personal datasets—per your legal strategy.
Learn moreIsolate the highest tiers with customer-held keys or double encryption where Microsoft never holds the outer key alone.
Learn moreIssue and control tokens tied to your key material so re-identification stays gated.
Learn moreKey themes
Where customer-controlled keys fit
DuoKey helps controllers and processors move beyond checkbox encryption by putting key custody, access policies and audit trails under your organisation's governance — supporting effective Art. 32 measures and defensible breach narratives.
Art. 32(1)(a) — pseudonymisation and encryption
Pair field-level or volume encryption with key procedures you operate and audit—not only the cloud console the vendor gives you.
Art. 32 — restoring availability and access
Key backups, HSM clustering, and MPC quorum designs support resilience without giving up control.
Related links
Useful resources