1 London Street,
+44 (0)118 951 6200
With 2,260 confirmed data breaches across 82 countries, as published in Verizon’s 2015 Data Breach Investigations Report, avoidable data security breaches are still proving all too common for businesses. To promote better data security in the UK, the Information Commissioner’s Office/ICO (the public body responsible for enforcing data protection law in the UK) has recently published updated guidance on protecting data through encryption.
What is encryption?
Encryption is a technique for converting data into another form which cannot be read by third parties. To use the data, the intended recipient must convert or decrypt the result back into its original form, normally based on a mathematical algorithm. Typically, data can be encrypted while being stored (e.g. on a laptop, mobile, USB or back-up media, databases and file servers) or while being transferred from one device to another (e.g. across the internet or over a wireless connection).
Is encryption a legal requirement for your business?
The Data Protection Act (DPA) does not specify that organisations must use encryption, instead it simply requires them to take “appropriate technical and organisational measures” against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Encryption is one of many measures that can be employed by businesses to assist in complying with the DPA.
ICO guidance on common business scenarios
Given the increasing use of encryption as a business tool the ICO has recently given guidance on how organisations can use it in common business scenarios involving the processing of personal data, for example:
Enforcement by the ICO
Given the increasing use of encryption, the ICO now takes the view that regulatory action and fines may be appropriate where failure to use encryption has led to data loss. It is hoped by the ICO that these penalties, together with the inherent reputational damage for businesses associated with data breaches, will help encourage relatively low cost security measures such as encryption to be widely adopted by organisations.
But how easy will it be for organisations to implement data encryption into their corporate environments? For some, their current IT infrastructure may block the installation of software needed to decipher encrypted data, e.g. because they use server-based malware scanning products. However the time, cost and inconvenience of working around such issues so that encryption and other data security measures are able to work effectively has to be weighed up against the potential financial and reputational risk of non-compliance. Saying it is too difficult to implement available technology may not wash with the ICO.