UK Regulator Issues Guidance About Encryption Under GDPR
The UK Information Commissioner’s Office recently released helpful encryption guidance. Although released to address the GDPR security requirements, this document may be helpful more broadly because of the detail around encryption the ICO provides. In the guidance, the ICO points to certain types of encryption (symmetric and asymmetric) and when to use the different methods. The ICO also clarifies that “hashing” is not encryption, two things that are often confused. The ICO also gives information about how to implement encryption. Namely, to choose the right algorithm, the right size key, and the right software. The ICO also reminds companies to keep the key itself secure. The ICO gives links to several resources to learn more about encryption and encryption methods and standards.
Taking a look at this guideline is important for companies subject to GDPR, as if faced with a breach of unencrypted data, the ICO states it will think about taking regulatory action. The ICO recommends companies put an encryption policy in place. That policy, the ICO states, should explain when the company will or will not use encryption measures.
Putting it Into Practice: Companies thinking about encryption will find this guidance helpful, in particular with respect to the types of encryption to use and what an encryption policy might look like.