Insights
Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.
Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.
Encrypting personal data: UK regulator publishes new guidance
On 3 March 2016, the Information Commissioner’s Office (ICO), the authority responsible for protecting data and privacy rights in the UK, published new guidance for businesses on the use of encryption to protect employees’ and customers’ personal data (Guidance).
Background
Under the UK Data Protection Act 1998 (DPA), a data controller (being the entity which determines the purpose and method of processing personal data) must take “appropriate technical and organisational measures” against unauthorised access to and loss of personal data. Although there is no express requirement that all personal data must be encrypted, the ICO has warned that it may take regulatory action where unencrypted personal data is lost, stolen or accessed unlawfully.
Further, the EU General Data Protection Regulation (GDPR), expected to come into force in 2018, expressly refers to encryption as a mechanism that can be used to demonstrate compliance with data protection obligations.
Guidance on encryption
The Guidance is divided into two categories: the use of encryption when transferring data and when storing data. Helpfully, the guidance provides various examples of where, when and how encryption should be used and the pros and cons of using different encryption methods.
The Guidance makes it clear that businesses should ensure that they choose suitable, up-to-date encryption software, which is regularly assessed to ensure it remains appropriate. A significant number of monetary penalties have been issued by the ICO over the last few years due to simple and avoidable mistakes in selecting and implementing a suitable encryption method. For example: staysure.co.uk Ltd, an online travel insurer, was fined £175,000 by the ICO for failing to protect its customers’ personal data and Sony Computer Entertainment Europe was fined £250m for failure to prevent the hacking of millions of customers’ personal data.
Heavy DPA sanctions may be imposed for security breaches such as these and, with the introduction of the GDPR, the level of fines could increase to the greater of £20m or 4% of annual worldwide turnover of a business.
There are multiple types of encryption software and other cyber security measures that could be used by data controllers, and often the correct policy will depend on the people and personal data concerned. Therefore, it is advisable to conduct complete risk assessments and Privacy Impact Assessments (see here) to determine the most appropriate forms of encryption to apply in any given scenario.
WAB comment
All businesses handling personal data are at risk of cyberattacks and other forms of security breaches. Given the ICO’s robust enforcement stance against preventable security incidents, this Guidance will therefore be welcomed by businesses in need of practical advice on how encryption can and should be used to ensure protection against the ever increasing ways in which their security systems could be infiltrated.
See the Guidance here.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.