The GDPR’s requirements for encryption

Pseudonymisation and encryption are the only technological measures specifically mentioned in the famously technology-agnostic GDPR (General Data Protection Regulation).

But what exactly is meant by ‘pseudonymisation’ and ‘encryption’? Are these measures mandatory? More importantly, how can organisations go about implementing them? Let’s take a look.

What is pseudonymisation?

Pseudonymisation is the process of replacing personally identifiable information with artificial identifiers (pseudonyms) in order to conceal the data subject it relates to.

For instance, you might replace data subjects’ names, addresses or other data with reference numbers. If that data is then breached, there would be no way of connecting it with the data subject without additional information – which should, of course, be held separately.

Although it is central to protecting data – being mentioned 15 times in the GDPR – and can help protect the privacy and security of personal data, pseudonymisation has its limits, both in terms of practicality and the risk of re-identification. For more efficient data protection, we look to encryption.

What is encryption?

A form of cryptography, encryption is a way of safeguarding data against unauthorised access by encrypting it through use of a mathematical function known as a key. Without the key to decrypt it again, the data is inaccessible (and subsequently worthless).

In practical terms, this means that if you encrypt the personal data you process, there will be no risk to the rights and freedoms of data subjects even if you suffer a data breach – because the encrypted data will be unavailable to any unauthorised party without the decryption key.

There are many types of processing activity where encryption would be appropriate and many encryption algorithms that you can use. Some use the same key for both encryption and decryption; others use different ones. The ICO (Information Commissioner’s Office) has published guidance to help you decide which is most suitable for your needs, and the scenarios in which encryption might be used.

Encryption is not mandatory under the GDPR. One way to determine if it is appropriate is to conduct a DPIA (data protection impact assessment). DPIAs are mandatory where processing could result in a high risk to the data subjects, and will help you determine safeguards (such as encryption) that are appropriate to the risk. Conducting DPIAs is good practice even where the risk is initially perceived as low, as your assessment may reveal risks you had not considered.

It’s also important to note that Article 4(2) defines processing as “any operation or set of operations which is performed on personal data”, such as “adaptation or alteration”. So, even if you only encrypt personal data, you are still processing it under the Regulation and must abide by its requirements.

ICO recommendations

The ICO recommends that you:

  • Have “a policy governing the use of encryption, including guidelines that enable staff to understand when they should and should not use it”;
  • Store personal data “in an encrypted form to protect against unauthorised access or processing, especially if the loss of the personal data is reasonably likely to occur and would cause damage or distress to individuals”; and
  • Use “an appropriate encrypted communications protocol” when transmitting personal data over the Internet, over a wireless communication network (e.g. Wi-Fi), or when the data will pass through an untrusted network.

You should also take account of relevant industry or sector-specific guidelines that include minimum standards or recommend specific policies for encryption, such as NHS Digital’s Encryption guidance for health and social care organisations and the PCI DSS (Payment Card Industry Data Security Standard).

Pseudonymisation and encryption – not a silver bullet

Although pseudonymisation and encryption can be effective methods of safeguarding your data, these measures alone won’t fully protect your organisation.

It’s advisable to make sure data protection is a top priority for all staff – knowledge of the related processes and procedures should be commonplace, and having data protection expertise you can rely on will enable your organisation to keep ticking while data is kept safe.

Our sister company GRCI Law Limited is a legal consultancy specialising in data protection and cyber security. Its DPO as a service offering gives you direct access to a qualified, experienced DPO (data protection officer). The DPO is responsible for monitoring and advising on data protection within the organisation, and ensuring compliance with the GDPR.

Find out more about GRCI Law’s DPO as a service >>