The GDPR: Requirements for encryption

Pseudonymisation and encryption are the only technological measures specifically mentioned in the famously technology-agnostic GDPR (General Data Protection Regulation).

But what exactly is meant by ‘pseudonymisation’ and ‘encryption’? Are these measures mandatory? More importantly, how can organisations go about implementing them? Let’s take a look.

What is pseudonymisation?

Pseudonymisation is the process of replacing personally identifiable information with artificial identifiers (pseudonyms) in order to conceal the data subject it relates to.

For instance, you might replace data subjects’ names, addresses or other data with reference numbers. If that data is then breached, there would be no way of connecting it with the data subject without additional information – which should, of course, be held separately.

Although it is central to protecting data – being mentioned 15 times in the GDPR – and can help protect the privacy and security of personal data, pseudonymisation has its limits, both in terms of practicality and the risk of re-identification. For more efficient data protection, we look to encryption.

What is encryption?

A form of cryptography, encryption is a way of safeguarding data against unauthorised access by encrypting it through use of a mathematical function known as a key. Without the key to decrypt it again, the data is inaccessible (and subsequently worthless).

In practical terms, this means that if you encrypt the personal data you process, there will be no risk to the rights and freedoms of data subjects even if you suffer a data breach – because the encrypted data will be unavailable to any unauthorised party without the decryption key.

There are many types of processing activity where encryption would be appropriate and many encryption algorithms that you can use. Some use the same key for both encryption and decryption; others use different ones. The ICO (Information Commissioner’s Office) has published guidance to help you decide which is most suitable for your needs, and the scenarios in which encryption might be used.

Encryption is not mandatory under the GDPR. One way to determine if it is appropriate is to conduct a DPIA (data protection impact assessment). DPIAs are mandatory where processing could result in a high risk to the data subjects, and will help you determine safeguards (such as encryption) that are appropriate to the risk. Conducting DPIAs is good practice even where the risk is initially perceived as low, as your assessment may reveal risks you had not considered.

It’s also important to note that Article 4(2) defines processing as “any operation or set of operations which is performed on personal data”, such as “adaptation or alteration”. So, even if you only encrypt personal data, you are still processing it under the Regulation and must abide by its requirements.

ICO recommendations

The ICO recommends that you:

  • Have “a policy governing the use of encryption, including guidelines that enable staff to understand when they should and should not use it”;
  • Store personal data “in an encrypted form to protect against unauthorised access or processing, especially if the loss of the personal data is reasonably likely to occur and would cause damage or distress to individuals”; and
  • Use “an appropriate encrypted communications protocol” when transmitting personal data over the Internet, over a wireless communication network (e.g. Wi-Fi), or when the data will pass through an untrusted network.

You should also take account of relevant industry or sector-specific guidelines that include minimum standards or recommend specific policies for encryption, such as NHS Digital’s Encryption guidance for health and social care organisations and the PCI DSS (Payment Card Industry Data Security Standard).

Pseudonymisation and encryption – not a silver bullet

Although pseudonymisation and encryption can be effective methods of safeguarding your data, these measures alone won’t fully protect your organisation.

Effective and robust cyber security requires an ISMS (information security management system) built on three pillars: people, processes and technology. This three-pronged approach will help your organisation defend itself from both highly organised attacks and common internal threats, such as accidental breaches and human error.

The international standard ISO 27001 provides the specification for a best-practice ISMS and provides an excellent starting point for meeting the technical and operational requirements of the GDPR. In fact, the Standard’s requirements overlap with those outlined in Article 32 of the GDPR – including the need to “take measures to pseudonymise and encrypt personal data”.

Discover the nine steps to ISO 27001 success

Secure your organisation’s information assets and reduce data security risks. Discover the key steps involved in planning, implementing and maintaining an ISO 27001-compliant ISMS with our ISO27001 Certified ISMS Lead Implementer course.

Get started today >>