Encryption - is it always the best policy?

Under Article 32 of the GDPR, data processors and controllers are required to implement appropriate technical and organisational measures to safeguard against the unauthorised or unlawful processing of personal data. An example of an appropriate technical measure given is of course encryption. The UK Information Commissioners (UK ICO) has recently updated its GDPR Guidance to give advice on compliance and use of encryption to protect personal data from unauthorised or unlawful processing.

In considering the use of encryption, the UK ICO highlights some important considerations. Whilst the UK ICO believes that encryption is a beneficial safeguard in the majority of cases, it is keen to emphasise that it is not the only technical and organisational security measure that companies should consider in seeking to comply with Article 32. More thought is required!

The ICO recommends that, in seeking to answer the question as to whether the use of encryption is “an appropriate and effective response” to the risk posed to the particular organisation, a first step in determining this is the carrying out of a Data Protection Impact Assessment (DPIA).

The DPIA process is designed to help organisations identify and minimise the data protection risks of a project. Depending on the type of processing activities carried out by an organisation, organisations may already be required, under the GDPR, to carry out a DPIA, however, the UK ICO also wants to encourage those who are not required to carry out a DPIA to still take the time to do so. This is because by carrying out a DPIA, organisations are able to assess their processing activities and to consider what information they are processing and whether it is necessary to do so for the purpose of the project. So, in its most simple terms, if you don’t need to collect nor need to hold it this would dispense with the need to apply appropriate technical and organisational security measures?

The UK ICO encourages organisations to go back to first principles of privacy law and data minimisation. By carrying out a DPIA, organisations can better identify what data they do and do not need to process for each particular project and its purpose. The UK ICO believes that this will provide a trail which documents its decisions and reasoning behind, “processing certain data, the reasons for processing and can ensure that you are only using the minimum personal data necessary for the purpose.” 

This becomes important when we consider that most encryption only covers the transmission of data. For example, when files are sent via email the content will be protected during the transmission of this data but what control do you have of that data once it has been received and is being processed by the recipient? For this reason, the UK ICO emphasises the need to consider whether you can reduce the amount of data you are processing. Do you need to send the full complement of documents or would one or two be sufficient? This helps to reduce the residual risks associated with data when it leaves your control. 

Companies should regularly review their encryption solution to ensure that it meets current standards, is kept up to date, and remains the most appropriate encryption method and that they are aware of any residual risks. In addition to this, the UK ICO advises that every organisation adopts an encryption policy and emphasises the importance of staff being made aware and receiving training on the use of encryption.

The ICO’s updated guidance in relation to encryption provides useful advice for UK organisations however, the general security tips provided in this guidance could also help organisations across the world to develop better security methods when processing data and making use of encryption software. 

GDPR & Cyber Security

Cyber security and key changes under the GDPR and UK Data Protection Act 2018 affect almost all businesses. Our online hub contains a wealth of information and insights on what your businesses should be doing to ensure full compliance with the law.

Latest updates from @MacRoberts

  • Huge congratulations to Rebecca Cox in our Corporate Finance team who has been shortlisted for the Rising Star of t… https://t.co/sgIS8tsxej 1 hour ago
  • MacRoberts is delighted to be shortlisted at this year’s Scottish Legal Awards! We're up for Firm of the Year & t… https://t.co/LfaBwKCeXC 19 hours ago
  • Have you and your partner been considering moving in together? Are you aware of the legal implications that this ma… https://t.co/BCgW2nHnCR 29/07/2021
  • Following a consultation in 2019, the UK Government has outlined its intention to introduce a mandatory duty on emp… https://t.co/2XBrafRQ22 29/07/2021
  • Our award-winning Family Law team can help you and your partner through difficult situations by providing support w… https://t.co/sOwEmv13fP 27/07/2021
  • To celebrate the Olympic Games in Tokyo, we're delighted to launch our latest sporting challenge in support of our… https://t.co/Y8IEq3eT53 23/07/2021
  • MacRoberts is recruiting! We are currently looking for a Real Estate Planning Solicitor to join the MacRoberts tea… https://t.co/ioGQaF2hQc 23/07/2021
  • The countdown is on! With just 100 days to go, we’re looking forward to #COP26 in Glasgow! ♻️ As a firm accredite… https://t.co/Ooldhmo8tW 22/07/2021
  • Has lockdown led you to consider a move to the countryside? From discussing a possible purchase to obtaining the… https://t.co/patbF42pjk 22/07/2021
  • Have you seen our latest vacancies? 💼 We currently have opportunities in various departments across the firm. Fin… https://t.co/NpiWs2sphg 21/07/2021
  • Acas has published new guidance for employers with helpful information on #flexibleworking & #hybridworking. With t… https://t.co/SoX87hFkko 20/07/2021
  • Busting the myth that a career in law is only for the privileged few: @marikaflawyer is speaking at this morning’s… https://t.co/awfcub4cw0 19/07/2021
  • MacRoberts is recruiting! We are currently looking for a Support Services Assistant to join our team in Edinburgh.… https://t.co/DJ27fRmmdb 16/07/2021
  • MacRoberts is pleased to have been part of the team advising @HV_Systems in its £5m capital boost from Beehive Equi… https://t.co/BxcwjCgIVk 15/07/2021
  • MacRoberts is recruiting! We are currently looking for a NQ Solicitor to join our Conveyancing & Private Client te… https://t.co/zubGY4zo0D 14/07/2021