In detail

What does the GDPR say about encryption?

Article 5(1)(f) of the GDPR states that personal data shall be:

‘Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures’

This is the GDPR’s ‘integrity and confidentiality’ principle, or ‘security principle’ for short. Although the security principle does not define the meaning of ‘appropriate’, the GDPR has further considerations in Article 32, ‘security of processing’:

‘Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) pseudonymisation and encryption of personal data’

This means that you can consider the state of technological developments and costs involved when assessing what security measures to implement. However, as encryption is an established, well-understood and widely-deployed technology that is available in a large number of solutions and can be implemented relatively easily, it is likely that in many cases it will form part of the technical measures you look to put in place.

Are we required to encrypt personal data?

The GDPR includes encryption as an example of a technical measure that can be appropriate to protect the personal data you hold. Ultimately, whether or not encryption is the right measure to put in place depends on your circumstances—the sort of processing you are undertaking, the risks that may be posed to individuals’ rights and freedoms, and the state of the art of technology available to you to protect that data.

Recital 83 says:

‘In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.’

This is not a new approach. The Information Commissioner has seen numerous incidents where personal data has been lost, stolen, or subject to unauthorised access. Many of these cases involved data being inadequately protected, or the devices the data was stored on being left in inappropriate places – and sometimes both. 

Where such losses occur, and where encryption has not been used to protect the data, it is possible that regulatory action may be pursued. This is particularly the case given the widespread availability of encryption solutions, and the ease with which you can deploy them in your organisation.

 

In more detail – ICO guidance

See our guidance on security in the Guide to the GDPR for more information about the security principle and the additional requirements about the security of your processing.

We have also published joint guidance with the National Cyber Security Centre (NCSC) on developing security outcomes under the GDPR, which include sections on system and data security, including encryption.

Our guidance on data protection by design and by default in the Guide will also assist you.