What happened?
The UK Information Commissioner’s Office (ICO) has released updated guidance on encryption following a recent consultation.
The revised guidance provides a framework outlining when and how organisations should consider implementing encryption to protect personal data. The guidance does not cover end-to-end encryption, privacy-enhancing technologies or the potential implications of quantum computing.
Although the UK General Data Protection Regulation (GDPR) does not specifically require companies to use encryption or encrypt all personal data they hold, the ICO strongly recommends implementing encryption as a robust technical measure to support the secure processing of data.
The ICO’s updated encryption guidance adopts its “must, should, could” framework: “must” denotes legal obligations, “should” reflects strong expectations for compliance and “could” offers optional best practices. This article focuses on the non-negotiable musts, because understanding and implementing these legal requirements is essential for organisations aiming to avoid regulatory risk.
What must companies do?
Although encryption is not mandatory, the ICO advises that it should be widely used – even in lower-risk situations – alongside other appropriate measures. Encryption is now well established, widely available and low cost, making it an appropriate and practical measure to support organisations’ compliance with data protection legislation.
However, there are a number of non-negotiable requirements for using encryption tools under the new guidance. Organisations must:
- At a general level, put in place appropriate technical and organisational measures to uphold data protection principles and integrate necessary safeguards into organisations’ processing activities. This includes the use of any encryption tools, and measures must be considered both at the design phase and throughout the life cycle of the processing.
- Consider the state of the art of technology and the cost of implementing that measure. This is required when you assess whether a technical or organisational measure is appropriate and is implied to include encryption within its scope. As technology evolves, so must organisations’ encryption standards.
- Consider the necessity of encryption at the design phase of any processing activity.
- Avoid the use of SSL. The guidance notes SSL’s known vulnerabilities and its potential to compromise the security of personal data. Using SSL may result in noncompliance with UK GDPR security obligations, and it must not be used under any circumstances, including public-facing HTTPS implementation.
- Ensure compliance with legal obligations when processing encrypted data. This includes setting an appropriate review period for encryption use and assessing whether a personal data breach involving encrypted data must be reported to the ICO.
- Use in-transit encryption for your online applications (e.g. TLS) to prevent unauthorised access to data if it is intercepted during transmission.
- Implement robust user authentication mechanisms for accessing encrypted personal data.
- Ensure technical measures are in place to restore availability and access to encrypted personal data promptly in the event of an incident.
- When determining encryption use and backup retention periods, consider the right to erasure under Article 17 of the UK GDPR and how it may apply.
Next steps
In light of the guidance, companies should review their encryption practices and broader data security policies to ensure alignment with UK data protection law. For support with auditing your encryption measures, drafting a tailored encryption policy or any wider queries around compliance with UK data protection legislation, please contact the Cooley team below.
Authors
Guadalupe Sampedro, Partner, London
Dan Millard, Associate, London
