By Peter Brown, Senior Technology Officer
So many data breaches that make the headlines lead to questions about whether the data placed at risk was encrypted. All too often, despite the relative ease with which encryption software can be used, the answer is either ‘no’ or ‘we’re not sure’.
A question we often get asked is whether or not encryption is a legal requirement. The Data Protection Act does not specify the use of encryption but it does say that data controllers should use appropriate measures to keep the personal data they hold secure. Encryption, being a widely available technology with a relatively low cost of implementation, is one such measure.
The ICO takes the view that regulatory action may follow in cases where a lack of encryption has led to a loss of data. A significant number of the monetary penalties we have issued since 2010 relate to the failure to use encryption correctly as a technical security measure. Where data is not appropriately secured, loss, theft or inappropriate access is much more likely to occur.
On top of the fines, data controllers risk significant damage to their reputation if they do not store personal data securely.
The recently announced DROWN vulnerability demonstrates the importance of good cyber hygiene, which involves dropping support for old and insecure protocols and keeping your current systems up to date.
Many of the cases we see involve data controllers making basic errors like storing personal data on unencrypted devices such as USB sticks which are either stolen or lost. Other cases include data controllers failing to dispose IT equipment correctly or sending sensitive personal data in an unprotected form to the wrong individual.
Everyone’s needs are different when it comes to encryption; the ‘right’ encryption will depend on the sensitivity of the personal data being processed and how that data is stored. There are many encryption products available and data controllers can use these without having to build their own solution personally.
Encryption doesn’t have to be complicated or difficult and could help you avoid a fine. Don’t wait until after a data breach to start using it.
|Peter Brown is a Senior Technology Officer within our Technology team, providing technical expertise to all ICO departments in order to support the broad range of activities undertaken by the ICO.|