Encryption (2024)

Table of Contents
At a glance Checklists In brief What does the UK GDPR say about encryption? What is encryption? Encryption and data storage Encryption and data transfer What types of encryption are there? How should we implement encryption? Encryption scenarios

At a glance

  • The UKGDPR requires you to implement appropriate technical and organisational measures to ensure you process personal data securely.
  • Article 32 of the UKGDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of your processing activities.
  • Encryption is a widely-available measure with relatively low costs of implementation. There is a large variety of solutions available.
  • You should have an encryption policy in place that governs how and when you implement encryption, and you should also train your staff in the use and importance of encryption.
  • When storing or transmitting personal data, you should use encryption and ensure that your encryption solution meets current standards.
    You should be aware of the residual risks of encryption, and have steps in place to address these.

Checklists

We understand that encryption can be an appropriate technical measure to ensure that we process personal data securely.

We have an appropriate policy in place governing our use of encryption.

See Also
Database Security and Encryption[Answered] Does database encryption affect performance?

We ensure that we educate our staff on the use and importance of encryption.

We have assessed the nature and scope of our processing activities and have implemented encryption solution(s) to protect the personal data we store and/or transmit.

We understand the residual risks that remain, even after we have implemented our encryption solution(s).

Our encryption solution(s) meet current standards such as FIPS 140-2 and FIPS 197.

We ensure that we keep our encryption solution(s) under review in the light of technological developments.

We have considered the types of processing we undertake, and whether encryption can be used in this processing.

In brief

  • What does the UK GDPR say about encryption?
  • What is encryption?
  • Encryption and data storage
  • Encryption and data transfer
  • What types of encryption are there?
  • How should we implement encryption?
  • Encryption scenarios
  • In detail

What does the UK GDPR say about encryption?

  • The UKGDPR’s security principle requires to you put in place appropriate technical and organisational measures to ensure you process personal data securely.
  • Article 32 provides further considerations for the security of your processing. This includes specifying encryption as an example of an appropriate technical measure, depending on the risks involved and the specific circ*mstances of your processing. The ICO has seen numerous incidents of personal data being subject to unauthorised or unlawful processing, loss, damage or destruction. In many cases, the damage and distress caused by these incidents may have been reduced or even avoided had the personal data been encrypted.
  • It is also the case that encryption solutions are widely available and can be deployed at relatively low cost.
  • It is possible that, where data is lost or destroyed and it was not encrypted, regulatory action may be pursued (depending on the context of each incident).

What is encryption?

  • Encryption is a mathematical function that encodes data in such a way that only authorised users can access it.
  • It is a way of safeguarding against unauthorised or unlawful processing of personal data, and is one way in which you can demonstrate compliance with the security principle.
  • Encryption protects information stored on mobile and static devices and in transmission, and there are a number of different encryption options available.
  • You should consider encryption alongside other technical and organisational measures, taking into account the benefitsit can offer and the risks it can pose.
  • You should have a policy in place governing the use of encryption, including appropriate staff education.
  • You should also be aware of any sector-specific guidance that applies to you, as this may require you to use encryption.

Encryption and data storage

  • Encrypting data whilst it is being stored provides effective protection against unauthorised or unlawful processing.
  • Most modern operating systems have full-disk encryption built-in.
  • You can also encrypt individual files or create encrypted containers.
  • Some applications and databases can be configured to store data in encrypted form.
  • Storing encrypted data still poses residual risks. You will need to address these depending on the context of your processing, such as by means of an organisational policy and staff training

Encryption and data transfer

  • Encrypting personal data whilst it is being transferred provides effective protection against interception by a third party.
    You should use encrypted communications channels when transmitting any personal data over an untrusted network.
  • You can encrypt data prior to transmission over an insecure channel and ensure it is still protected. However, a secure channel provides assurance that the content cannot be understood if it is intercepted. Without additional encryption methods, such as encrypting the data itself prior to transmission, the data will only be encrypted whilst in transit.
  • You should look to use HTTPS across your entire site. While there are some circ*mstances that can make this difficult you still need to take appropriate steps such as ensuring that all areas of user input are protected.
  • Encrypted data transfer still poses residual risks. You will need to address these depending on the context, such as by means of an organisational policy and staff training.

What types of encryption are there?

  • The two types of encryption in widespread use today are symmetric and asymmetric encryption.
  • With symmetric encryption, the same key is used for encryption and decryption. Conversely, with asymmetric encryption, different keys are used for encryption and decryption.
  • When using symmetric encryption, it is critical to ensure that the key is transferred securely.
  • The technique of cryptographic hashing is sometimes equated to encryption, but it is important to understand that encryption and hashing are not identical concepts, and are used for different purposes.

How should we implement encryption?

  • When implementing encryption it is important to consider four things: choosing the right algorithm, choosing the right key size, choosing the right software, and keeping the key secure.
  • Over time, vulnerabilities may be discovered in encryption algorithms that can eventually make them insecure. You should regularly assess whether your encryption method remains appropriate.
  • It is important to ensure that the key size is sufficiently large to protect against an attack over the lifetime of the data. You should therefore assess whether your key sizes remain appropriate.
  • The encryption software you use is also crucial. You should ensure that any solution you implement meets current standards such as FIPS 140-2 and FIPS 197.
  • Advice on appropriate encryption solutions is available from a number of organisations, including the National Cyber Security Centre (NCSC).
  • You should also ensure that you keep your keys secure, and have processes in place to generate new keys when necessary to do so.

Encryption scenarios

There are a number of typical data processing activities where you should consider the use of encryption. These are outlined in our detailed guidance which includes a section on common scenarios.

In each case, it is important that you consider the residual risks that remain even after you put the encryption in place.

Further reading

We have published detailed guidance on encryption including a number of common scenarios and risks.

Encryption (2024)
Top Articles
Should you repair or replace aging grain bins?
What is the Relationship Between Interest Rates and Cap Rates?
Nullreferenceexception 7 Days To Die
Spectrum Gdvr-2007
Toa Guide Osrs
877-668-5260 | 18776685260 - Robocaller Warning!
GAY (and stinky) DOGS [scat] by Entomb
Western Razor David Angelo Net Worth
De Leerling Watch Online
Wnem Radar
Everything You Need to Know About Holly by Stephen King
Industry Talk: Im Gespräch mit den Machern von Magicseaweed
Nba Rotogrinders Starting Lineups
7543460065
Missed Connections Dayton Ohio
Wizard Build Season 28
Extra Virgin Coconut Oil Walmart
Me Cojo A Mama Borracha
8664751911
Willam Belli's Husband
Nordstrom Rack Glendale Photos
Craigslist Maui Garage Sale
Rural King Credit Card Minimum Credit Score
11 Ways to Sell a Car on Craigslist - wikiHow
Southland Goldendoodles
Naya Padkar Gujarati News Paper
Waters Funeral Home Vandalia Obituaries
Was heißt AMK? » Bedeutung und Herkunft des Ausdrucks
Fbsm Greenville Sc
2487872771
Chase Bank Cerca De Mí
Drabcoplex Fishing Lure
W B Crumel Funeral Home Obituaries
Reborn Rich Ep 12 Eng Sub
Edict Of Force Poe
Regis Sectional Havertys
Mandy Rose - WWE News, Rumors, & Updates
Winco Money Order Hours
PruittHealth hiring Certified Nursing Assistant - Third Shift in Augusta, GA | LinkedIn
Sukihana Backshots
Wilson Tattoo Shops
What Is A K 56 Pink Pill?
All Obituaries | Sneath Strilchuk Funeral Services | Funeral Home Roblin Dauphin Ste Rose McCreary MB
Ethan Cutkosky co*ck
Po Box 101584 Nashville Tn
How To Customise Mii QR Codes in Tomodachi Life?
Backpage New York | massage in New York, New York
Leland Westerlund
Yosemite Sam Hood Ornament
Great Clips Virginia Center Commons
O.c Craigslist
Adams County 911 Live Incident
Latest Posts
Who was the designated survivor for the 2024 State of the Union address?
Enable and configure Microsoft Defender Antivirus always-on protection - Microsoft Defender for Endpoint
Article information

Author: Dan Stracke

Last Updated:

Views: 6636

Rating: 4.2 / 5 (43 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Dan Stracke

Birthday: 1992-08-25

Address: 2253 Brown Springs, East Alla, OH 38634-0309

Phone: +398735162064

Job: Investor Government Associate

Hobby: Shopping, LARPing, Scrapbooking, Surfing, Slacklining, Dance, Glassblowing

Introduction: My name is Dan Stracke, I am a homely, gleaming, glamorous, inquisitive, homely, gorgeous, light person who loves writing and wants to share my knowledge and understanding with you.