The ICO has recently published official guidance on the use of encryption as an appropriate technical measure to protect personal data.
Article 5(1)(f) of the GDPR (known as the ‘security principle’) states that personal data shall be:
“Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”
The security principle is supplemented by the obligation in Article 32(1) of the GDPR that:
“[…] the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”
As the new guidance (accessible here) states, encryption is one of several main technical measures which organisations can implement in order to satisfy the security principle.
The guidance advises that encryption is an “established, well-understood and widely-deployed technology” and recommends that organisations should be using encryption due to its “widespread availability and relatively low cost of deployment”. Whether or not you need to use encryption will depend on the nature of your processing activities. Nevertheless, the ICO’s recommendation suggests that it will be expecting your organisation to be using some form of encryption to protect personal data unless you can demonstrate good reason to the contrary.
In deciding whether or not to deploy encryption (or any other technical or organisational security measure, for that matter) you are required by Article 32(1) of the GDPR to consider:
“the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”
If you do opt to implement encryption then the guidance includes a helpful section on choosing the most appropriate type of encryption and supporting software for your processing activities. If you are already using some form of encryption to protect the personal data you hold, now would be a good opportunity to review those arrangements and the ICO guidance makes a good starting point for doing so.
I am a solicitor in Paris Smith’s Data Protection Team. If you have any questions about your organisation’s data processing, including what technical and organisational measures you may need to put in place to protect personal data that you hold, please email me or call me on 02380 482316.