One Way Hash Functions and Data Privacy Compliance.

Hunter Nelson
Published: April 11, 2019
Last Updated: June 27, 2024
cryptographic hash functions
Home » Blog » One Way Hash Functions and Data Privacy Compliance.
Free Web Marketing Consultations

Helping B2B Technology Companies Increase Their Lead Volume.
Serving: IT, MSP, Cybersecurity, Software Dev, SaaS, ISV, VARs & More.
Apply Now
Table of Contents
    Add a header to begin generating the table of contents

    This article will discuss how a one way hash function can be used in the context of privacy compliance for regulations like the GDPR. Storing customer’s personal data is an inevitability for scaling businesses in today’s technical world. One way hash functions are a useful tool to store sensitive customer data such as passwords and social security numbers in a blind manner that reduces your risk. We’ll talk about what one way hash functions are, why you should care, and their place in a data privacy compliance context.

    The Information Security Challenge

    We’ve all seen the headlines about high profile data breaches for sensitive customer data. These breaches are occurring at the highest level companies and information security companies themselves are not immune to targeting by hackers.

    Since information security professionals largely find ways to protect against known attacks and hackers are constantly devising new attacks, hackers have the advantage. Because of this, application providers must a) assume that stored data will be breached and b) take appropriate steps to protect the data so that the impacts of a breach are minimized.

    Enter the one way hash function.

    About One Way Hash Functions

    one way hash, example graphic

    The graphic above illustrates how one way hash functions work. An arbitrary input, such as an email address or password, is provided and run through the hashing function and the result is a fixed-length alphanumeric string of characters.

    The provided input will always result in the same fixed length set of characters but it is impossible to determine what the original input was because the encryption algorithm only goes one way.

    This gives us a fantastic tool to store customers personal data in such a manner that the application provider has no knowledge of the originally provided input.

    For example, lets say a fictitious user is logging in with a password “pass123”.

    When the user registers with the password, it is run through a one way hashing function and the resulting hash code “x6y1otB” is generated.

    The application provider stores this hash code in their database and has no knowledge of the original password. Yet, when the user attempt to login the next time, the original “pass123” hashes back to “x6y1otB” and we can confirm that they did indeed supply the correct password without ever knowing what it was.

    This is a powerful protection in an information security sense because if a hacker was to gain access to the database and steal the stored passwords they will only see the hash codes that were stored and would not be able to decipher what the original password was.

    This gives application providers a chance to inform users of a breach, lock out accounts and force password changes while the vulnerability is corrected. It saves a tremendous amount of hassle for the end consumer because their data remains far safer than if the password was stored in plain text and then was subsequently compromised.

    If the password was stored in plain text, the hacker would have been able to login to the compromised user’s account and do far more damage.

    Emerging Privacy Law

    Savvy application providers have been implementing techniques likes this for several reasons.

    • Reduces Liability
    • Decreases Risk
    • Increases Customer Satisfaction
    • Decreases the Attractiveness of Attack to Hackers

    Data privacy has become a hot topic over recent years and implementing information security is no longer just a tactic employed by top companies for their benefit of their consumers – it’s become a legal requirement.

    Data privacy laws such as the GDPR and California Consumer Privacy Act rarely specify the exact solutions required for securing personally identifiable consumer information but they make it clear that efforts to secure customer information must be made, and documented, and must periodically be audited by an appointed data privacy officer within the organization.

    As such, the one way hash function has become an important tool in the application providers belt to secure and process personal information.

    Share This Article
    Posted in: ,
    Tagged: , ,

    Hunter Nelson

    Hunter is the founder and president of Tortoise and Hare Software, a digital marketing agency for the technology sector and other lead generation oriented businesses. Hunter has more than 10 years’ experience building web applications and crafting digital strategies for companies ranging from scrappy startups to Fortune 50 household names. When not on the clock, you'll find him spending time with his family and pups, relaxing on the beach, or playing competitive online video games. See for more.

    Leave a Comment





    Recent Blog Posts

    SEO Not Working: Here’s Why

    Lately I’ve been getting on more and more calls lately with people saying something along the lines of “we’ve been doing SEO or inbound for 6 months, 12 months, or…

    Why SEO Investments Help Your MSP Weather a Recession and Keep the Door Open for New Opportunities

    What happens to your pipeline when the phones go quiet, inboxes stay cold, and paid ads stop converting? That’s not a hypothetical. It’s what happens in a recession. Budgets freeze.…

    MSP Marketing – How to Build a Strategy That Works

    Let’s be honest—most MSP marketing doesn’t work.Not because the tactics are bad, but because they’re unaligned. What looks like a marketing problem is often a strategy problem in disguise. Most…

    The 10 Best MSP SEO Agencies To Help You Grow Organic Traffic

    If you’re searching for SEO agencies for MSPs, the list of generalists can feel endless—and underwhelming. Most SEO providers don’t understand the managed services space, much less the buyer behavior,…

    Why Your MSP’s Online Marketing Efforts Are Failing

    If you’re leading an MSP and investing in online marketing, you’re probably feeling a growing sense of frustration. You’ve put money into websites, content, ads—even hired an agency or two…

    What Makes a Great MSP Website? 5 Examples You Should Follow

    Your MSP website is more than just an online brochure—it’s a powerful tool for attracting and converting potential clients. But what makes a website truly effective in the competitive managed…

    Related Blog Posts

    CMMC Presents New Marketing And Sales Opportunity for MSPs

    Have you heard about the Cybersecurity Maturity Model Certification (CMMC)? It’s a universal standard meant to enhance and normalize cybersecurity throughout the Defense Industrial Base (DIB). Released on January 31,…

    Why do I need a Privacy Policy?

    Data privacy is a topic that is of growing concern to many consumers around the U.S. and you may have heard the term privacy policy a time or two in…

    GDPR Principles: Accuracy

    The accuracy principle states that controllers and processor should make reasonable efforts to ensure personal data is accurate.  They must allow citizens to challenge the accuracy of data and take steps to rectify or erase the data associated with the challenge.  Verification is sometimes needed to ensure data is accurate.  Controllers and processors should consider the impact to the individual and whether they collected the data or the user provided it when determining appropriate verification steps.  Organizations should document challenges and their responses thoroughly and in a timely manner. They should also document the thought process for determining whether personal data needs to be verified and the verification steps taken if necessary.

    SAR Portal – Privacy Definitions

    The GDPR and subsequent chain of privacy laws passed in countries around the world have resulted in a slough of new lingo for privacy professionals and IT professionals to learn.  One of these new terms is the SAR portal.  SAR portal stands for Subject Access Request portal.  Many of the new privacy laws grants certain rights to the citizens of their countries that allow them to make certain requests to businesses and other organizations that collect and process personal data.  The types of rights that are granted to citizens varies from country to country.  Some example requests that can be made are….

    GDPR Principles: Data Minimization

    Data minimization is the concept of collecting the minimum amount of data needed to carry out the stated purpose and no more.  When conducting a data minimization evaluation you must ensure that the data collected is adequate and relevant to your stated purpose as well as limited. The onus is on the organization to document compliance with this principle.  We recommend documenting a review of this principle each time new personal data is collected or processed.  Conduct at least an annual audit of personal data that has been collected or processed to ensure that changes in the business have not impacted compliance with the data minimization principle.

    GDPR Principles: Purpose Limitation

    The GDPR’s purpose limitation principle constrains the use of personal data to the original purposes or those purposes compatible with the original purpose.  There are a handful of pre-approved compatible purposes such as archiving purposes in the public interest, scientific and historical purposes, and statistical purposes. Under the GDPR, the burden falls on controllers and processors to document their purposes and reasoning behind them.  These must be documented externally to be transparent to the end user, and internally with regular audits. Care must be taken when deciding a purpose is compatible with the original.  An analysis must be conducted to determine compatibility and it’s a good idea to document the reasoning behind claiming a purpose is compatible with the original. Make sure to consider linkages to the original purpose, and consequences to the end user.

    Top Blog Content

    The Ultimate Guide To MSP SEO

    Search Engine Optimization (SEO) is one of the most important ways to attract new business for mid-market managed service providers (MSP). If you look at MSPs that have achieved any…

    The Ultimate Guide To Paid Search On Google Ads For Managed Service Providers

    Generating leads for your MSP can be a challenge. You spend so much time managing employees, making sure customer support tickets are answered, procuring hardware, and defending against cyber threats,…

    The Ultimate Guide To MSP Website Optimization

    A well-optimized website is essential for Managed Service Providers (MSPs) looking to scale their business, attract more leads, and achieve a lucrative exit. A lot of MSPs check a few…

    The Ultimate Guide to Hiring an MSP Marketing Agency

    Are you one of the many MSPs struggling to attract new clients consistently? According to research conducted by MSP Dojo, a leading MSP sales consulting firm, approximately 85% of MSPs…

    The Ultimate Guide To Setting A Marketing Budget For IT Companies

    Many IT companies get their start as a one-man operation and rely almost exclusively on word of mouth, referrals, and other organic offline means to get past their initial growth…

    Featured Review of Tortoise and Hare

    ryan drake president nettech consultants
    R.D.
    President Florida Based MSP

    Tortoise and Hare has been a key partner in our MSP's growth. Over the year's we've worked together they've helped our MSP dramatically increase our website traffic, and build a steady stream of leads sourced from our website and advertising efforts. Over that time, we've been able to raise our base customer size, build economies of scale to more efficiently service customers, and expand into new markets.