When to Encrypt?
This is a difficult question and falls to risk appraisal and at times plain common sense. The GDPR does not mandate encryption but in many cases little else will provide a sufficient technical measure to protect the interests of the “data subject”
Article 32 Security of Processing
1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
2. In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
3. Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
4. The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”
The ICO says from feedback and inspection visits:
Encrypting data whilst it is being transferred from one device to another (eg across the internet or over a wireless connection) provides effective protection against interception of the communication by a third party whilst the data is in transfer.
It is also good practice to use encrypted communication when transmitting any data over a wireless communication network (eg Wi-Fi) or when the data will pass through an untrusted network.
Data can be transformed into an encrypted format (Individual file encryption) and transferred over a non-secure communication channel yet still remain protected. An example would be sending an appropriately encrypted attachment via email.
When is encryption useful?
When processing data, there are a number of areas that can benefit from the use of encryption. The benefits and risks of using encryption at these different points in the lifecycle should be assessed separately. The two main purposes for which data controllers may wish to consider using encryption are data storage and data transfer. These two activities can also be referred to as data at rest and data in transit.
Data controllers should have a policy governing the use of encryption, including guidelines that enable staff to understand when they should and should not use it.
For example, there may be a guideline stating that any email containing sensitive personal data (either in the body or within an attachment) should be sent encrypted or that all mobile devices should be encrypted and secured with a password complying with a specific format.
Data controllers should also be aware of any industry or sector specific guidelines that may recommend a minimum standard for encrypting personal data.
Personal data should be stored in an encrypted form to protect against unauthorised access or processing, especially if the loss of the personal data is reasonably likely to occur and would cause damage or distress to individuals.