Encryption is the process whereby personal data is protected using a “secret code” to scramble it so that it cannot be accessed or read by anyone who doesn’t have the code/key. Personal and special category data should always be encrypted in storage, in use or in transit.
The new data protection laws states that personal data shall be:
‘Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’ (Article 5(1) (f) of GDPR).
This is the GDPR’s ‘integrity and confidentiality’ principle, or, more simply, the ‘security’ principle. The security principle requires you to take appropriate technical and organisational measures to prevent unauthorised processing of personal data you hold.
Article 32 of the GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of your processing activities.
There are severe penalties imposed on organisations who lose personal data, where adequate precautions have not been taken to prevent unauthorised access to that information. The Information Commissioner’s Office requires that organisations use encryption to achieve this protection.