A strong password may not be sufficient any more…
Cathrine Ripley, head of the Commercial & Technology/IP department, considers the new guidance on data encryption provided by the Information Commissioner Officer earlier this month.
The ‘security’ principle set out in Article 5(1)(f) GDPR, requires personal data to be processed securely by means of appropriate technical and organisational measures to prevent unauthorised processing of personal data. The Information Commissioner Officer (ICO) has issued some guidance on 1st November 2018 on the use of encryption as an appropriate technical measure to protect personal data.
The ICO defines ‘Encryption” as ‘a mathematical function that encodes data in such a way that only authorised users can access it’. Encryption is deemed to be a way of safeguarding against unauthorised or unlawful processing of personal data and is amongst others, one way in which one can demonstrate compliance with the security principle, which applies particularly to information stored on mobile and static devices and in transmission of such information.
The ICO recommends that organisations have an encryption policy in place to govern when and how the use of encryption should be used whilst processing personal data. The ICO also recommend that staff should be trained in the use of encryption.
In addition, the ICO guidance provides that encryption of data should be used for storing and for transmitting data, and the type of encryption be tailored to the sensitivity of the data involved and the industry the organisation is in. By way of illustration, the ICO reports several incidents of personal data being subject to unauthorised or unlawful processing, loss, damage or destruction, which in most instances could have been avoided if the personal data had been encrypted in the first place. As a result, the ICO has confirmed that unencrypted data which is lost or destroyed may be subject to regulatory actions, including fines.
This guidance is a good starting point, but it is important that individual businesses assess the level of protection needed, which will depend on the amount of personal data processed and/or the industry they are in, and ensure that higher level of security measures are put in place, as a lack of action may come at a high cost to those who fail to take it seriously.