How To Use Encryption To Keep Data Secure

Last updated: 27 August 2020

Estimated reading time: 5 minutes

Member View

When you process personal data you must do so securely. Encryption is a widely used security tool that many companies employ for data protection purposes ensure GDPR compliance. While companies are not obliged to have encryption measures in place, the Information Commissioner has highlighted that encryption solutions are readily available and relatively straightforward and cost-effective to implement. Further, the Commissioner makes clear on the ICO website that where a data loss occurs and encryption has not been used, regulatory action may be pursued. Here we look at some of the main issues that arise when considering a data encryption solution and how to use it to keep sensitive data secure.

We’ll consider the following:

  1. How does encryption work?
  2. Different types of computer encryption you should be aware of
  3. Does the GDPR refer to encryption?
  4. Are you required to encrypt sensitive data by law?
  5. What are the benefits of encrypting data?
  6. What are the risks of encryption?
  7. Best practices for computer encryption
  8. Why is encryption important for your business?

How does encryption work?

Encryption turns sensitive, personal data into indecipherable text or computer code. Those authorised to access the data can do so using a specially designed encryption key that uses an algorithm to convert the unrecognisable code into its original, readable format.

Secure encryption methods turn data into text so random that it should be impossible to ‘de-crypt’ or unlock the data without the authorisation key. Data can be encrypted when it is being stored (at rest encryption) or when it is being sent to a third party (in transit encryption).

Different types of computer encryption you should be aware of

The two types of encryption our clients should be familiar with are asymmetric encryption and symmetric encryption. In symmetric encryption senders and recipients of data use the same key. In asymmetric encryption – sometimes known as public key encryption – a different key is used for encryption and decryption.

Does the GDPR refer to encryption?

Yes. GDPR mentions encryption in conjunction with the security principle. It describes encryption as one example of a technical measure that can effectively protect the data you process and control. It’s important to note however that GDPR doesn’t impose any kind of obligation on data processors to use encryption. Only when encryption is the right measure for you to take should you consider using it.

This will depend on:

  • The circumstances in which you process data
  • The risk to individuals presented by your data processing
  • The investment in technology you’ll need to make in order to encrypt data

Are you required to encrypt sensitive data by law?

No – encryption is not a legal requirement under data protection legislation like GDPR. However, GDPR makes specific reference to encryption as an example of the type of technical measure that can be used to enhance data security. Added to this, the ICO has published detailed guidance on the use of encryption for organisations subject to GDPR. This guidance indicates that where there is a loss of data and encryption is not in place, regulatory action may be taken. So it’s safe to say that encryption – in appropriate circumstances – is encouraged by regulators. It’s also worth mentioning that the draft ePrivacy Regulation talks about ‘promoting’ encryption as a security measure. There are even moves with this forthcoming ePrivacy law to make encryption mandatory in light of the principles of security and privacy by design.  

What are the benefits of encrypting data?

While encryption isn’t mandatory – for now – it has several important benefits:

  • It’s a highly effective way to enhance the security of the data you process and control.
  • When a company device is stolen or lost, if the hard drive is encrypted the data held on the device will remain secure.
  • It’s one way to demonstrate to regulators and to your clients and consumers that you take data privacy seriously.
  • When data is encrypted only the intended recipient can read it, so it protects the privacy of data subjects.
  • In certain circumstances following a data breach you may not have to notify the affected individual if the data was properly encrypted. While you will still have to notify the ICO, the reputational damage caused by a data breach may be significantly reduced if you don’t have to inform clients or customers that their data has been breached.

What are the risks of encryption?

Encryption isn’t fool proof. Data may still be read by an unauthorised individual in certain circumstances. For example when:

  • An authorised user of encrypted material leaves a device open and unattended while the material is unencrypted.
  • A virus or malware infects the device storing the encrypted data.
  • A vulnerable application on a device is compromised, exposing any data accessible by the application.

Many of the risks associated with encrypted data vulnerability can be addressed through effective data protection training.

Best practices for computer encryption

Introducing encryption techniques across your business is a big step. You should ensure that you:

  • Get the right encryption product. Choosing appropriate software is the first decision you’ll make, and you should ensure it meets current standards. A good starting point is the National Cyber Security Centre list of recommendations
  • Audit your data. What do you need to encrypt? Consider the implications if particular data were compromised. If the fallout is likely to be minimal, encryption may not be a proportionate or appropriate solution.
  • Keep keys secure. Ensure all keys are fully protected and backed up. Always keep the keys separate from the data.
  • Have a sound encryption strategy. Make sure that it’s clear and that it applies across the organisation.
  • Carry out random checks on your systems. This will help you identify weaknesses before a breach occurs.
  • Review your encryption policies regularly. Ensure your policies are helping to keep your data secure. Consider how the encryption strategy can be modified.

Why is encryption important for your business?

Encryption is an effective method of cybersecurity, securing your organisation’s entire network and minimising the opportunities available to hackers and cyber criminals to exploit any vulnerability in your systems. In the context of personal data, encryption is respected by regulators such as the ICO as a way to ensure compliance with GDPR requirements on securing data. This helps reduce the risk of regulatory scrutiny and may limit otherwise significant fines in the event of a breach. From a commercial perspective, using encryption can improve your reputation among clients and improve your competitiveness.

Back to table of contents

What next?

If you need advice on electronic communication regulation, and how encryption can enhance your data security we can help. Call our data protection team on 0800 689 1700, email us at enquiries@hjsolicitors.co.uk, or fill out the short form below with your enquiry.

  • Your data will only be used by Harper James Solicitors. We will never sell your data and promise to keep it secure. You can find further information in our privacy policy.

  • This field is for validation purposes and should be left unchanged.
  • This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

A national law firm

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

Floor 2, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
10 Fitzroy Square, London, W1T 5HP
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
Harwell Innovation Centre, 173 Curie Avenue, Harwell, Oxfordshire, OX11 0QG
2-5 Velocity Tower, 1 St Mary’s Square, Sheffield, S1 4LP
Like what you're reading?

Like what you're reading? Get new articles delivered to your inbox

Join 8,067 entrepreneurs reading our latest news, guides and insights.

Subscribe