Workshops Law & Policy Legal Liability from Cryptographically Vulnerable Data Retention
Law & Policy Full Day Workshop

Legal Liability from Cryptographically Vulnerable Data Retention

This workshop helps data protection officers, general counsel, and compliance leads assess and mitigate the legal liability from retaining data that will become vulnerable to quantum decryption.

Full day (6 hours + Q&A)
In person or online
Max 30 delegates
Commission This Workshop View Agenda

Proud to recommend our expert members

Qrypto Cyber
Eclypses
Arqit
QuantBond
Krown
Applied Quantum
Quantum Bitcoin
Venari Security
QuStream
BHO Legal
Census
QSP
IDQ
Patero
Entopya
Belden
Atlant3D
Zenith Studio
Qudef
Aries Partners
GQI
Upperside Conferences
Austrade
Arrise Innovations
CyberRST
Triarii Research
QSysteme
WizzWang
DeepTech DAO
Xyberteq
Viavi
Entrust
Qsentinel
Nokia
Gopher Security
Quside
Qrypto Cyber
Eclypses
Arqit
QuantBond
Krown
Applied Quantum
Quantum Bitcoin
Venari Security
QuStream
BHO Legal
Census
QSP
IDQ
Patero
Entopya
Belden
Atlant3D
Zenith Studio
Qudef
Aries Partners
GQI
Upperside Conferences
Austrade
Arrise Innovations
CyberRST
Triarii Research
QSysteme
WizzWang
DeepTech DAO
Xyberteq
Viavi
Entrust
Qsentinel
Nokia
Gopher Security
Quside

Workshop Description

Organisations retain encrypted data for years or decades under statutory and regulatory obligations. Financial records under MiFID II may be held for seven years. Medical records persist for decades. Privileged legal communications have no expiry. All of this data is currently protected by RSA and elliptic curve cryptography that a sufficiently capable quantum computer would break. The harvest-now-decrypt-later (HNDL) threat means adversaries can capture encrypted data today and decrypt it when quantum hardware matures. The legal question is whether organisations that know this risk exists, yet continue to retain data under vulnerable encryption, are meeting their duty of care.

GDPR Article 32 requires "appropriate technical and organisational measures" that account for the "state of the art." As NIST finalises post-quantum standards and national agencies issue migration guidance, the argument that quantum risk is speculative weakens. This workshop examines how courts and regulators are likely to interpret these obligations, identifies the sector-specific retention periods that create the longest quantum exposure windows, and provides a framework for documenting quantum-aware decisions that create a defensible compliance record.

What participants cover

  • GDPR Article 32 "state of the art" interpretation: when quantum-resistant encryption becomes the expected standard
  • Harvest-now-decrypt-later liability: the legal exposure from adversaries capturing encrypted data for future quantum decryption
  • Sector-specific retention analysis: MiFID II, PSD2, NHS, SRA, and Sarbanes-Oxley retention periods mapped against quantum threat timelines
  • Board-level risk documentation: translating quantum cryptographic vulnerability into Companies Act 2006 directors duties language
  • Cyber insurance and D&O implications: how quantum risk disclosure affects coverage terms and director liability
  • Data minimisation as risk reduction: deleting data beyond its required retention period to eliminate quantum exposure

Preliminary Agenda

Full Day Workshop structure with scheduled breaks. Content is configurable to your organisation's sector, data retention obligations, and regulatory jurisdiction.

# Session Topics
1 The Harvest Now, Decrypt Later Liability Problem Why data encrypted today creates legal exposure tomorrow
2 GDPR Article 32 and the Quantum Security Obligation When "appropriate technical measures" must account for future cryptanalytic capability
  • Article 32(1) "state of the art" interpretation: how regulators and courts will assess quantum-era encryption adequacy
  • Article 5(1)(f) integrity and confidentiality principle: retention of data beyond its cryptographic protection lifespan
  • ICO and EDPB enforcement precedent: how current GDPR penalties for inadequate encryption map onto quantum vulnerability scenarios
Break, after 50 min
3 Data Retention Obligations Versus Cryptographic Risk Sector-specific retention periods and their quantum exposure windows
  • Financial services: MiFID II (5-7 years), PSD2, and Sarbanes-Oxley retention requirements against quantum threat timeline estimates
  • Healthcare: GDPR special category data, NHS retention schedules, and the extended sensitivity window for medical records
  • Legal profession: SRA record-keeping obligations, litigation hold requirements, and privileged communications with indefinite retention expectations
4 Interactive Demonstration: Liability Risk Assessment Full-day format only
  • Mapping an organisation data inventory against retention obligations and quantum vulnerability windows
  • Calculating the "harvest window": estimating when currently encrypted data could be retrospectively decrypted
  • Drafting a quantum risk disclosure for board reporting and regulatory filings
Break, after 60 min
5 Documenting Quantum Risk to Manage Liability Building a defensible record of quantum-aware decision-making
  • Risk register entries: documenting quantum cryptographic risk alongside existing information security risks
  • Board reporting: translating quantum vulnerability into business risk language for directors obligations under Companies Act 2006
  • Insurance implications: how quantum risk disclosure affects cyber insurance coverage and D&O liability
6 Mitigation Strategies and Regulatory Engagement Practical steps to reduce exposure before quantum-capable adversaries arrive
  • Data minimisation as quantum risk reduction: deleting data you no longer need eliminates its quantum exposure entirely
  • Re-encryption with quantum-resistant algorithms: NIST FIPS 203 (ML-KEM) for data at rest, hybrid TLS for data in transit
  • Proactive regulatory engagement: demonstrating quantum awareness to regulators before enforcement action
7 Q&A and Risk Mitigation Planning

Designed and Delivered By

Workshops are designed and delivered by QSECDEF in collaboration with sector specialists. All facilitators have direct experience in both quantum technologies and data protection law.

QD

Quantum Security Defence

Workshop design and delivery

QSECDEF brings world-leading expertise in post-quantum cryptography, quantum computing strategy, and defence-grade security assessment. Our advisory membership spans 600+ organisations and 1,200+ professionals working at the intersection of quantum technologies and critical infrastructure security.

DP

Data Protection and Privacy Law Partners

Domain expertise and regulatory validation

Data retention workshops are co-delivered with privacy lawyers and data protection specialists who have direct experience in GDPR enforcement, ICO investigations, and sector-specific retention compliance. This ensures workshop content reflects current regulatory interpretation and case law.

Commission This Workshop

Sessions are configured around your organisation's sector, data retention obligations, and regulatory jurisdiction. Get in touch to discuss requirements and schedule a date.

Contact Us
Law & Policy Workshops All Consulting Services All Workshops