When you process personal data you must do so securely. Encryption is a widely used security tool that many companies employ for data protection purposes ensure GDPR compliance. While companies are not obliged to have encryption measures in place, the Information Commissioner has highlighted that encryption solutions are readily available and relatively straightforward and cost-effective to implement. Further, the Commissioner makes clear on the ICO website that where a data loss occurs and encryption has not been used, regulatory action may be pursued. Here we look at some of the main issues that arise when considering a data encryption solution and how to use it to keep sensitive data secure.
We’ll consider the following:
- How does encryption work?
- Different types of computer encryption you should be aware of
- Does the GDPR refer to encryption?
- Are you required to encrypt sensitive data by law?
- What are the benefits of encrypting data?
- What are the risks of encryption?
- Best practices for computer encryption
- Why is encryption important for your business?
How does encryption work?
Encryption turns sensitive, personal data into indecipherable text or computer code. Those authorised to access the data can do so using a specially designed encryption key that uses an algorithm to convert the unrecognisable code into its original, readable format.
Secure encryption methods turn data into text so random that it should be impossible to ‘de-crypt’ or unlock the data without the authorisation key. Data can be encrypted when it is being stored (at rest encryption) or when it is being sent to a third party (in transit encryption).
Different types of computer encryption you should be aware of
The two types of encryption our clients should be familiar with are asymmetric encryption and symmetric encryption. In symmetric encryption senders and recipients of data use the same key. In asymmetric encryption – sometimes known as public key encryption – a different key is used for encryption and decryption.
Does the GDPR refer to encryption?
Yes. GDPR mentions encryption in conjunction with the security principle. It describes encryption as one example of a technical measure that can effectively protect the data you process and control. It’s important to note however that GDPR doesn’t impose any kind of obligation on data processors to use encryption. Only when encryption is the right measure for you to take should you consider using it.
This will depend on:
- The circumstances in which you process data
- The risk to individuals presented by your data processing
- The investment in technology you’ll need to make in order to encrypt data
Are you required to encrypt sensitive data by law?
No – encryption is not a legal requirement under data protection legislation like GDPR. However, GDPR makes specific reference to encryption as an example of the type of technical measure that can be used to enhance data security. Added to this, the ICO has published detailed guidance on the use of encryption for organisations subject to GDPR. This guidance indicates that where there is a loss of data and encryption is not in place, regulatory action may be taken. So it’s safe to say that encryption – in appropriate circumstances – is encouraged by regulators. It’s also worth mentioning that the draft ePrivacy Regulation talks about ‘promoting’ encryption as a security measure. There are even moves with this forthcoming ePrivacy law to make encryption mandatory in light of the principles of security and privacy by design.
What are the benefits of encrypting data?
While encryption isn’t mandatory – for now – it has several important benefits:
- It’s a highly effective way to enhance the security of the data you process and control.
- When a company device is stolen or lost, if the hard drive is encrypted the data held on the device will remain secure.
- It’s one way to demonstrate to regulators and to your clients and consumers that you take data privacy seriously.
- When data is encrypted only the intended recipient can read it, so it protects the privacy of data subjects.
- In certain circumstances following a data breach you may not have to notify the affected individual if the data was properly encrypted. While you will still have to notify the ICO, the reputational damage caused by a data breach may be significantly reduced if you don’t have to inform clients or customers that their data has been breached.
What are the risks of encryption?
Encryption isn’t fool proof. Data may still be read by an unauthorised individual in certain circumstances. For example when:
- An authorised user of encrypted material leaves a device open and unattended while the material is unencrypted.
- A virus or malware infects the device storing the encrypted data.
- A vulnerable application on a device is compromised, exposing any data accessible by the application.
Many of the risks associated with encrypted data vulnerability can be addressed through effective data protection training.
Best practices for computer encryption
Introducing encryption techniques across your business is a big step. You should ensure that you:
- Get the right encryption product. Choosing appropriate software is the first decision you’ll make, and you should ensure it meets current standards. A good starting point is the National Cyber Security Centre list of recommendations
- Audit your data. What do you need to encrypt? Consider the implications if particular data were compromised. If the fallout is likely to be minimal, encryption may not be a proportionate or appropriate solution.
- Keep keys secure. Ensure all keys are fully protected and backed up. Always keep the keys separate from the data.
- Have a sound encryption strategy. Make sure that it’s clear and that it applies across the organisation.
- Carry out random checks on your systems. This will help you identify weaknesses before a breach occurs.
- Review your encryption policies regularly. Ensure your policies are helping to keep your data secure. Consider how the encryption strategy can be modified.
Why is encryption important for your business?
Encryption is an effective method of cybersecurity, securing your organisation’s entire network and minimising the opportunities available to hackers and cyber criminals to exploit any vulnerability in your systems. In the context of personal data, encryption is respected by regulators such as the ICO as a way to ensure compliance with GDPR requirements on securing data. This helps reduce the risk of regulatory scrutiny and may limit otherwise significant fines in the event of a breach. From a commercial perspective, using encryption can improve your reputation among clients and improve your competitiveness.