About this guidance

In detail

• Why have you produced this guidance?
• Who is this guidance for?
• What does it cover?
• What doesn’t it cover?
• How do we use this guidance?

Why have you produced this guidance?

Processing personal information securely is essential to maintaining trust and confidence in digital services. Encryption is an effective technical measure that helps you achieve this. For example, it supports online payments, e-commerce and allows people to send information while being better protected from eavesdropping. 

We’ve seen numerous incidents where personal information has been lost, stolen, or subject to unauthorised access. Many of these cases involved data being inadequately protected or the devices the data was stored on being left in inappropriate places, or both. You may face regulatory action in line with our regulatory action policy, if you don’t implement appropriate technical and organisational measures, such as encryption.

However, it may be unclear when encryption can support compliance with UK data protection law.

This guidance explains how UK data protection law applies when you use encryption. It provides practical advice to help you comply with the UK General Data Protection Regulation (UK GDPR). 

This guidance highlights key compliance considerations. Read it to understand the law and our recommendations for good practice.

Who is this guidance for?

This guidance discusses encryption in more detail. Read it if you need a deeper understanding about how to apply encryption in practice. It is aimed at data protection officers (DPOs) and those with specific data protection responsibilities in any size of organisation who are implementing encryption.

If you have not read the ‘in brief’ page on encryption, read that first. It introduces this topic and sets out the key points you need to know, along with practical checklists to help you comply.

This guidance will help you to understand: 

• the importance of encryption as an appropriate technical measure to protect the personal information you hold; and
• how to implement it. 

Whether you are a controller or a processor, encryption is a technique that you can use to help protect personal information.

What does this guidance cover?

This guidance covers encryption in the context of the UK GDPR and how you can use it in different contexts. It includes several scenarios where you can use encryption to protect personal information, as well as the residual risks of doing so.

What doesn't it cover? 

This guidance doesn’t cover things like end-to-end encryption (E2EE), privacy-enhancing technologies (PETs), encryption and ransomware, or the potential impact of quantum computing.

How do we use this guidance?

To help you to understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply.

Legal requirements

• Must refers to legislative requirements.
• Must also refers to binding case law.

Good practice

• Should does not refer to a legal requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law.
• Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.

This approach only applies where indicated in our guidance. We will update other guidance in due course.