March 18, 2019

March 15, 2019

Subscribe to Latest Legal News and Analysis

UK Regulator Issues Guidance About Encryption Under GDPR

The UK Information Commissioner’s Office recently released helpful encryption guidance. Although released to address the GDPR security requirements, this document may be helpful more broadly because of the detail around encryption the ICO provides. In the guidance, the ICO points to certain types of encryption (symmetric and asymmetric) and when to use the different methods. The ICO also clarifies that “hashing” is not encryption, two things that are often confused. The ICO also gives information about how to implement encryption. Namely, to choose the right algorithm, the right size key, and the right software. The ICO also reminds companies to keep the key itself secure. The ICO gives links to several resources to learn more about encryption and encryption methods and standards.

Taking a look at this guideline is important for companies subject to GDPR, as if faced with a breach of unencrypted data, the ICO states it will think about taking regulatory action. The ICO recommends companies put an encryption policy in place. That policy, the ICO states, should explain when the company will or will not use encryption measures.

Putting it Into Practice: Companies thinking about encryption will find this guidance helpful, in particular with respect to the types of encryption to use and what an encryption policy might look like.

Copyright © 2019, Sheppard Mullin Richter & Hampton LLP.

TRENDING LEGAL ANALYSIS


About this Author

Shanna Pearce, Sheppard Mullin, San Diego, litigation, class action, intellectual property, IP, copyrights, false advertising, commercial litigation, lanham act, unfair competition
Associate

Ms. Pearce represents businesses in the areas of intellectual property and commercial litigation, from trademark and copyright matters to consumer class actions. She has represented Fortune 500 companies in complex actions involving allegations of copyright violation, breach of contract, fraud, and unfair business practices. She has also defended retailers and financial institutions in class actions alleging violations of statute and federal laws relating to false advertising, unfair competition, pricing practices, and lending disclosures. Ms. Pearce’s litigation...

858-720-7475
Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney
Partner

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and external practitioners alike.”

She is known as an industry leader in the privacy and data security space and is consistently recognized by Leading Lawyers Network, Chambers and The Legal 500, and leading publications and organizations for her work in this area of law. Liisa was recently recognized as the 2017 Data Protection Lawyer of the Year - USA by Global 100, the 2017 U.S. Data Protection Lawyer of the Year by Finance Monthly, and the “Best in Data Security Law Services” at Corporate LiveWire’s 2017 Global Awards.

312-499-6335