ICAEW.com works better with JavaScript enabled.

Do I have to encrypt personal data to comply with DPA 2018 (GDPR)?

Find out whether you should consider encrypting your data, how encryption works in practice and what types of appropriate technical and organisational measures are common. We will also explain why encryption follows GDPR’s principles of being accountable.
This content is not intended to constitute legal advice. Specific legal advice should be sought before taking or refraining from taking any action in relation to the matters outlined.

Encryption protects information while it is being stored and during transmission of data. It can be an appropriate safeguard against unauthorised access and unlawful processing. The DPA 2018 and the GDPR do not impose an obligation on organisations to use encryption. However, you should consider encryption alongside the range of other technical and organisational security measures you use as encryption allows you to manage specific risks. But you will have to consider what other measures and procedures could be appropriate.

There are many different types and tools that are used for encryption. Any organisation considering encryption will need to make sure that they consider which tool and encryption methodology is the most suitable for them in terms of the risks they are trying to manage.

Why should data be encrypted?

When considering whether to encrypt data a useful analogy is a postcard and a letter. When sending (“transmitting”) a postcard you are prepared to accept that the words on the back of the postcard could be read by anyone. However, if we wish to send a more personal message then we may choose to send a sealed letter marked “private and confidential”. Recorded delivery gives you some assurance that it has arrived at the destination address and someone there has signed for it. In this case, we have evaluated the risk (of having the message intercepted and read by someone other than the intended recipient) and have taken additional precautions.

What happens next, once the postcard and letter have arrived at its destination? The postcard could be pinned to a staff notice board, for example. Do we expect the private letter to be stored safely and only be shared with authorised individuals? What if it was taken out of the office and left on a train? When considering encryption, there has to be a separate assessment of the risks around storage as well. You will have noticed that even with this simple analogy, the protection during transmission and storage has to be removed in order for the recipient to read the letter. At some point you or the recipient will have to decrypt the encrypted data it in order for you to be able to use it.

How does encryption work in practice?

Put very simply, encryption works like a lock and a key. Individuals and organisations need to have good process for encryption key management. Certain keys need to be kept secret for effective encryption. Know that if you lose your “key”, you will also be unable to access the data.

You should start by defining a policy governing how and when you will use encryption. It needs to clearly outline when staff in your organisation should and should not use encryption. 
So what types of appropriate technical and organisational measures to protect personal data during transmission and in storage are common? Follow the below examples for guidance.

Example Who manages encryption? When is encryption effective?
Local hard drives in PCs, laptops or servers.  Organisation When data is being stored (at rest)
Sharing and transporting files via USB portable storage. Organisation When data is being stored (at rest)
Manually encrypt individual files and folders (eg, by using the software Winzip) before sending them via email. Ensure the password is shared with the recipient using a separate transmission.
[Note: The other party will need compatible software.] 
Individual When data is being stored (at rest) and when it is being transmitted 
Using a cloud-based sharing portal  Portal provider When data is being stored (at rest) and when it is being transmitted 
Cloud based application (Software as a service)  Service provider  When data is being stored (at rest) and when it is being transmitted *

* Keep in mind that this form of data protection is only effective when data is stored on the cloud service provider’s IT systems.  If data from the service provider is transferred to IT systems under your organisation’s control then you will need to apply suitable controls.

Example Method Limitations if no encryption
PC, laptops Secure onsite storage, data should not be taken offsite.

Does not protect against access after a loss or theft.

PC, laptops Logon – username and password Can be bypassed with common tools. Limited protection once logged in.
Individual files Password Password controls may not be as strong as encryption.
Client portals Logon – username and password Dependent on set up, eg, protection may be limited to transmission of data using common internet protocols. Reliant on the portal vendor to protect data when at rest (stored) on their servers.
Replace personal data Pseudonymisation Need to ensure that additional information that could be used to identify a person is kept separate and subject to technical and organisational measures. In some cases there is no need to capture, retain or process personal information, for example website traffic analysis.

The GDPR principle of being accountable

One of the principal aims of the GDPR is to be “accountable” with regards to how data is collected, used and processed. The Information Commissioner Office (ICO) recommends conducting a so-called Data Protection Impact Assessment to help document the decision of data collection, use and processing and the reasons for them. This process can also help ensure that the organisation is only using the minimum of personal data necessary for the purpose. By taking a risk-based approach and documenting how personal data is being used and processed an organisation will be able to demonstrate their approach to data protection, if the need arises. This includes explaining when and how you use encryption. If encryption is not being used then you will be expected to demonstrate what alternative technology and organisational measures you are using to protect personal data.

Reference information 

The GDPR article 32, which is one of the few places where encryption is mentioned in the GDPR is reproduced below in its entirety.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • the pseudonymisation and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.

The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.

Last updated June 2018