Encryption

At a glance

• The UK GDPR says you must implement appropriate technical and organisational measures to process personal information securely.
• Encryption is an example of an appropriate measure, depending on the nature and risks of your processing activities.
• Encryption is widely-available, with a range of solutions and relatively low costs of implementation. You should take this into account as part of your overall approach to information security.
• When you store or transmit personal information, you should use encryption and make sure your chosen solution meets current standards.
• You should have an encryption policy in place that says how and why you use encryption.
• You should also train your staff in both the use and importance of encryption.
• You should be aware of the residual risks of encryption and have steps in place to address them. 

Checklists

In brief

• What is encryption?
• What does the law say about encryption?
• Encryption and data storage
• Encryption and data transfer
• How do we implement encryption?
• What should we look out for?

What is encryption?

Encryption is a process that uses a secret key to encode data, ensuring only those with access to the key can read it. It provides a suitable safeguard against any unauthorised or unlawful processing of personal information.

Remember, you must put in place appropriate technological and organisational measures to protect the personal information you hold. Encryption is an effective technical measure that helps you achieve this.

We’ve seen numerous incidents where personal information has been lost, stolen, or subject to unauthorised access. Many of these cases involved the information being inadequately protected or the devices the it was stored on being left in inappropriate places, or both. 

You may face regulatory action in line with our regulatory action policy, if you don’t implement appropriate technical and organisational measures, such as encryption.

What does the law say about encryption?

The UK GDPR’s security principle says that you must process personal information securely, protecting it against unauthorised or unlawful processing and accidental loss, destruction or damage.

To do this, you must implement appropriate technological and organisational measures, taking into account:

• the state of the art;
• the costs of implementation of the measures; and
• the risks your processing poses to people’s rights and freedoms. 

The law doesn’t require you to use encryption. But it does include it as an example of the sort of appropriate measures to manage the risk. 

Encryption is widely available and relatively easy to implement, with many low-cost and easily-deployable solutions. We’ve seen many instances where personal information has been lost, and this can cause real harm to people.

So, you should use encryption to protect personal information that you store or transmit. 

At the same time, encryption isn’t a single solution to all your information security risks. You should consider what other security measures may be appropriate to use alongside it, as part of a defence-in-depth approach.  

Remember that encrypting personal information counts as a processing activity. This is because you ‘adapt or alter’ personal information when you encrypt it. The results of this process – an encrypted dataset and a key to decrypt it – are still personal information from your perspective.

Encryption and data storage

Encrypting personal information that you store provides effective protection, particularly if any storage device is lost or stolen. 

You should enable storage encryption on devices like PCs, laptops, smartphones, tablets and removable media like USB sticks. There are different ways to go about this, including full disk encryption or individual file encryption. Which of these are appropriate depends on your circumstances and business needs. It may be that a mixture of both is appropriate.

There may still be residual risks, even if you do implement storage encryption. You should take these into account in your overall approach to data security. For example, if an encrypted device is left unattended and unlocked, then an attacker can still gain access to the information it holds.

Encryption and data transfer

Encrypting personal information while it moves across devices or networks also provides effective protection (eg against interception by an attacker). This is also known as encryption in transit.

When you transmit personal information, you should use encrypted communications protocols like HTTPS. Many online services offer this level of protection by default. Make sure that you don’t use any outdated versions. For example, you must not use any version of SSL anymore, because they suffer from well-known vulnerabilities. Instead, look for TLS, ideally version 1.3.  

If you’re operating your own online service (eg a website or an app) and this involves processing personal information, then you should use HTTPS across all its pages. This safeguards personal information, such as login credentials and payment information. 

There is no compelling reason for you not to use HTTPS across your entire online service. Additionally, if a site doesn’t use HTTPS, most browsers now inform their users that the site is insecure. 

There may still be residual risks, even if you do implement encryption in transit. You should take these into account in your overall approach to data security. For example, certain data relating to the communication may still be exposed, like metadata or DNS queries. 

How do we implement encryption?

There are several things you should think about in order to implement encryption appropriately.

First, you should choose the right algorithm and key size. Your choice of algorithm is important. Vulnerabilities may be discovered over time, or computing power may advance. This means that if you choose an old one, it may not provide any real protection. You should also choose a key size that’s large enough to make any attack unlikely to succeed. 

Unless you have the technical capability, you should use a trusted and verified algorithm instead of developing your own. Accredited products can provide a level of assurance.

Second, you should choose the right software. This is about whether your encryption software followed good software development practices and has been independently tested. You could only choose software that has been reviewed in this way. 

Third, you should manage the encryption key appropriately. For example, storing it alongside the encrypted data is as good as not encrypting the data in the first place. At the same time, if you lose it then it’s likely that you won’t be able to access the data anymore.

Finally, you must consider a review period for your use of encryption. The law’s security requirements say that, where appropriate, you test and evaluate the effectiveness of the security measures you implement.

What should we look out for?

When you assess whether a particular solution is appropriate, you must consider both the state of the art and cost of implementation. 

For encryption, you could think about whether a particular solution is:

• widely available or widely used;
• aligned with recognised industry standards like FIPS 140-3 or FIPS 197 (the Advanced Encryption Standard or AES); or
• certified or accredited (eg by the NCSC’s Certified Assisted Products Scheme (CAPS)).

Many types of encryption are well-established and widely deployed, and you can often implement them relatively easily at little or no cost.