When handling personal data, ensuring robust cyber security is essential for GDPR compliance.
One of the most effective tools for meeting this obligation is encryption. Although not strictly required by law, the Information Commissioner’s Office (ICO) considers encryption a best practice measure and may take enforcement action where unencrypted data is compromised. Whether your business stores or transmits personal information, the correct encryption strategy can significantly reduce your risk exposure.
Our experienced data protection solicitors can advise on tailored encryption solutions that align with your risk profile, regulatory responsibilities, and commercial objectives. These solutions can help you avoid fines, safeguard your reputation, and build trust with your clients.
We’ll consider the following:
- How encryption works
- Key types of encryption to understand
- What the GDPR says about encryption
- When encryption is legally required
- Benefits of encrypting personal data
- Risks to consider when using encryption
- Best practices for implementing encryption
- Why encryption matters for your business
- How legal advice can help your encryption strategy
How encryption works
Encryption turns sensitive, personal data into indecipherable text or computer code. Those authorised to access the data can do so using a specially designed encryption key that uses an algorithm to convert the unrecognisable code into its original, readable format.
Secure encryption methods turn data into text so random that it should be impossible to ‘de-crypt’ or unlock the data without the authorisation key. Data can be encrypted when it is stored (at rest encryption) or when it is being sent to a third party (in-transit encryption).
Key types of encryption to understand
Our clients should be familiar with asymmetric and symmetric encryption. In symmetric encryption, senders and recipients of data use the same key. In asymmetric encryption – sometimes known as public key encryption – a different key is used for encryption and decryption.
What the GDPR says about encryption
Yes. GDPR mentions encryption in conjunction with the security principle. It describes encryption as one technical measure that can effectively protect the data you process and control. However, it’s important to note that GDPR doesn’t impose any kind of obligation on data processors to use encryption. Only when encryption is the right measure for you to take should you consider using it.
This will depend on:
- The circumstances in which you process data
- The risk to individuals presented by your data processing
- The investment in technology you’ll need to make in order to encrypt data
When encryption is legally required
No, encryption is not a legal requirement under data protection legislation, such as the GDPR. However, GDPR makes specific reference to encryption as an example of the type of technical measure that can be used to enhance data security. Additionally, the ICO has published detailed guidance on the use of encryption for organisations subject to the GDPR. This guidance indicates that where there is a loss of data and encryption is not in place, regulatory action may be taken. So it’s safe to say that encryption, in appropriate circumstances, is encouraged by regulators. It’s also worth mentioning that the draft ePrivacy Regulation talks about ‘promoting’ encryption as a security measure. There are even proposals with the forthcoming ePrivacy law to make encryption mandatory, in line with the principles of security and privacy by design.
Benefits of encrypting personal data
While encryption isn’t mandatory – for now – it has several significant benefits:
- It’s a highly effective way to enhance the security of the data you process and control.
- If a company device is stolen or lost, the data held on the hard drive will remain secure if the hard drive is encrypted.
- It’s one way to demonstrate to regulators, clients, and consumers that you take data privacy seriously.
- When data is encrypted, only the intended recipient can read it, thereby protecting the privacy of data subjects.
- In certain circumstances, following a data breach, you may not have to notify the affected individual if the data was properly encrypted. While you will still have to notify the ICO, the reputational damage caused by a breach may be significantly reduced if you don’t have to inform clients or customers that their data has been compromised. It’s essential to understand your legal responsibilities when dealing with data breaches, especially where encryption is a factor.
Risks to consider when using encryption
Encryption isn’t foolproof. An unauthorised individual may still read data in certain circumstances. For example, when:
- An authorised user of encrypted material leaves a device open and unattended while the material is unencrypted.
- A virus or malware infects the device storing the encrypted data.
- A vulnerable application on a device is compromised, exposing any data that the application can access.
Many of the risks associated with encrypted data vulnerability can be addressed through effective data protection training.
Best practices for implementing encryption
Introducing encryption techniques across your business is a big step. You should ensure that you:
- Get the right encryption product. Choosing appropriate software is the first decision you’ll make, and you should ensure it meets current standards. In their guide to data security, the ICO provides guidance on encryption. The National Cyber Security Centre (NCSC) doesn’t provide one definitive list of approved encryption products. Instead, it offers detailed advice on recommended algorithms, protocols, and configurations tailored to specific use cases.
- Audit your data. What do you need to encrypt? Consider the implications if particular data were compromised. If the fallout is likely to be minimal, encryption may not be a proportionate or appropriate solution.
- Keep keys secure. Ensure all keys are fully protected and backed up. Always keep the keys separate from the data.
- Have a sound encryption strategy. Ensure that it’s clear and that it applies consistently across the organisation.
- Carry out random checks on your systems. This will help you identify weaknesses before a breach occurs.
- Review your encryption policies regularly. Ensure they are helping to keep your data secure, and consider how the encryption strategy can be modified.
Why encryption matters for your business
Encryption is an effective method of cyber security, securing your organisation’s entire network and minimising the opportunities available to hackers and cyber criminals to exploit any vulnerability in your systems. In the context of personal data, encryption is recognised by regulators such as the ICO as a means to ensure compliance with GDPR requirements for securing data. This helps reduce the risk of regulatory scrutiny and may limit otherwise significant fines in the event of a breach. From a commercial perspective, using encryption can improve your reputation among clients and improve your competitiveness.
How legal advice can help your encryption strategy
A considered, well-executed encryption policy is not only an essential part of your cyber security framework – it also sends a clear message that your business takes data protection seriously. From choosing the right software to keeping encryption keys secure and training your team, many technical and organisational decisions will shape your approach. If you’re unsure where to start or need reassurance that your current practices are up to standard, our data protection solicitors can guide you. We work with businesses across various sectors to implement proportionate and effective data security measures that support compliance and protect your commercial interests.
