Under Article 32 of the GDPR, data processors and controllers are required to implement appropriate technical and organisational measures to safeguard against the unauthorised or unlawful processing of personal data. An example of an appropriate technical measure given is of course encryption. The UK Information Commissioners (UK ICO) has recently updated its GDPR Guidance to give advice on compliance and use of encryption to protect personal data from unauthorised or unlawful processing.
In considering the use of encryption, the UK ICO highlights some important considerations. Whilst the UK ICO believes that encryption is a beneficial safeguard in the majority of cases, it is keen to emphasise that it is not the only technical and organisational security measure that companies should consider in seeking to comply with Article 32. More thought is required!
The ICO recommends that, in seeking to answer the question as to whether the use of encryption is “an appropriate and effective response” to the risk posed to the particular organisation, a first step in determining this is the carrying out of a Data Protection Impact Assessment (DPIA).
The DPIA process is designed to help organisations identify and minimise the data protection risks of a project. Depending on the type of processing activities carried out by an organisation, organisations may already be required, under the GDPR, to carry out a DPIA, however, the UK ICO also wants to encourage those who are not required to carry out a DPIA to still take the time to do so. This is because by carrying out a DPIA, organisations are able to assess their processing activities and to consider what information they are processing and whether it is necessary to do so for the purpose of the project. So, in its most simple terms, if you don’t need to collect nor need to hold it this would dispense with the need to apply appropriate technical and organisational security measures?
The UK ICO encourages organisations to go back to first principles of privacy law and data minimisation. By carrying out a DPIA, organisations can better identify what data they do and do not need to process for each particular project and its purpose. The UK ICO believes that this will provide a trail which documents its decisions and reasoning behind, “processing certain data, the reasons for processing and can ensure that you are only using the minimum personal data necessary for the purpose.”
This becomes important when we consider that most encryption only covers the transmission of data. For example, when files are sent via email the content will be protected during the transmission of this data but what control do you have of that data once it has been received and is being processed by the recipient? For this reason, the UK ICO emphasises the need to consider whether you can reduce the amount of data you are processing. Do you need to send the full complement of documents or would one or two be sufficient? This helps to reduce the residual risks associated with data when it leaves your control.
Companies should regularly review their encryption solution to ensure that it meets current standards, is kept up to date, and remains the most appropriate encryption method and that they are aware of any residual risks. In addition to this, the UK ICO advises that every organisation adopts an encryption policy and emphasises the importance of staff being made aware and receiving training on the use of encryption.
The ICO’s updated guidance in relation to encryption provides useful advice for UK organisations however, the general security tips provided in this guidance could also help organisations across the world to develop better security methods when processing data and making use of encryption software.