The ICO exists to empower you through information.

At a glance 

  • The UK GDPR requires you to implement appropriate technical and organisational measures to ensure you process personal data securely.
  • Article 32 of the UK GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of your processing activities.
  • Encryption is a widely-available measure with relatively low costs of implementation. There is a large variety of solutions available.
  • You should have an encryption policy in place that governs how and when you implement encryption, and you should also train your staff in the use and importance of encryption.
  • When storing or transmitting personal data, you should use encryption and ensure that your encryption solution meets current standards.
    You should be aware of the residual risks of encryption, and have steps in place to address these.

Checklists

☐ We understand that encryption can be an appropriate technical measure to ensure that we process personal data securely.

☐ We have an appropriate policy in place governing our use of encryption.

☐ We ensure that we educate our staff on the use and importance of encryption.

☐ We have assessed the nature and scope of our processing activities and have implemented encryption solution(s) to protect the personal data we store and/or transmit.

☐ We understand the residual risks that remain, even after we have implemented our encryption solution(s).

☐ Our encryption solution(s) meet current standards such as FIPS 140-2 and FIPS 197.

☐ We ensure that we keep our encryption solution(s) under review in the light of technological developments.

☐ We have considered the types of processing we undertake, and whether encryption can be used in this processing.

In brief 

What does the UK GDPR say about encryption?

  • The UK GDPR’s security principle requires to you put in place appropriate technical and organisational measures to ensure you process personal data securely.
  • Article 32 provides further considerations for the security of your processing. This includes specifying encryption as an example of an appropriate technical measure, depending on the risks involved and the specific circumstances of your processing.  The ICO has seen numerous incidents of personal data being subject to unauthorised or unlawful processing, loss, damage or destruction. In many cases, the damage and distress caused by these incidents may have been reduced or even avoided had the personal data been encrypted.
  • It is also the case that encryption solutions are widely available and can be deployed at relatively low cost.
  • It is possible that, where data is lost or destroyed and it was not encrypted, regulatory action may be pursued (depending on the context of each incident).

 What is encryption?

  • Encryption is a mathematical function that encodes data in such a way that only authorised users can access it.
  • It is a way of safeguarding against unauthorised or unlawful processing of personal data, and is one way in which you can demonstrate compliance with the security principle.
  • Encryption protects information stored on mobile and static devices and in transmission, and there are a number of different encryption options available.
  • You should consider encryption alongside other technical and organisational measures, taking into account the benefits it can offer and the risks it can pose.
  • You should have a policy in place governing the use of encryption, including appropriate staff education.
  • You should also be aware of any sector-specific guidance that applies to you, as this may require you to use encryption.

Encryption and data storage

  • Encrypting data whilst it is being stored provides effective protection against unauthorised or unlawful processing.
  • Most modern operating systems have full-disk encryption built-in.
  • You can also encrypt individual files or create encrypted containers.
  • Some applications and databases can be configured to store data in encrypted form.
  • Storing encrypted data still poses residual risks. You will need to address these depending on the context of your processing, such as by means of an organisational policy and staff training

Encryption and data transfer

  • Encrypting personal data whilst it is being transferred provides effective protection against interception by a third party.
    You should use encrypted communications channels when transmitting any personal data over an untrusted network.
  • You can encrypt data prior to transmission over an insecure channel and ensure it is still protected. However, a secure channel provides assurance that the content cannot be understood if it is intercepted. Without additional encryption methods, such as encrypting the data itself prior to transmission, the data will only be encrypted whilst in transit.
  • You should look to use HTTPS across your entire site. While there are some circumstances that can make this difficult you still need to take appropriate steps such as ensuring that all areas of user input are protected.
  • Encrypted data transfer still poses residual risks. You will need to address these depending on the context, such as by means of an organisational policy and staff training.

What types of encryption are there?

  • The two types of encryption in widespread use today are symmetric and asymmetric encryption.
  • With symmetric encryption, the same key is used for encryption and decryption. Conversely, with asymmetric encryption, different keys are used for encryption and decryption.
  • When using symmetric encryption, it is critical to ensure that the key is transferred securely.
  • The technique of cryptographic hashing is sometimes equated to encryption, but it is important to understand that encryption and hashing are not identical concepts, and are used for different purposes.

How should we implement encryption?

  • When implementing encryption it is important to consider four things: choosing the right algorithm, choosing the right key size, choosing the right software, and keeping the key secure.
  • Over time, vulnerabilities may be discovered in encryption algorithms that can eventually make them insecure. You should regularly assess whether your encryption method remains appropriate.
  • It is important to ensure that the key size is sufficiently large to protect against an attack over the lifetime of the data. You should therefore assess whether your key sizes remain appropriate.
  • The encryption software you use is also crucial. You should ensure that any solution you implement meets current standards such as FIPS 140-2 and FIPS 197.
  • Advice on appropriate encryption solutions is available from a number of organisations, including the National Cyber Security Centre (NCSC).
  • You should also ensure that you keep your keys secure, and have processes in place to generate new keys when necessary to do so.

Encryption scenarios

There are a number of typical data processing activities where you should consider the use of encryption. These are outlined in our detailed guidance which includes a section on common scenarios.

In each case, it is important that you consider the residual risks that remain even after you put the encryption in place.

Further reading

Security

Security outcomes

Data protection by design and default

We have published detailed guidance on encryption including a number of common scenarios and risks.