Let’s cut to the chase. The GDPR doesn’t require encryption. But Article 32, which deals with security, requires that each organisation does an analysis on the risks related to data loss and implements appropriate safeguards. It does recommend (but does not require) encryption as being an appropriate means of protecting personal data in a couple of instances.
What the GDPR does is it makes organisations responsible for protecting the personal data it holds on individuals. In the event of a data breach, the personal data that’s lost or stolen will be much more secure if it’s encrypted than if it isn’t encrypted. So what encryption offers is an extra level of security. If you decide not to encrypt, you should document why you’ve decided not to do so.
So when should you encrypt personal data? To understand that you need to understand a bit about encryption.
When can data be encrypted?
1. When data is at rest, ie data that’s stored on your servers can be encrypted.
2. When data is in transit, ie data that’s being moved via the Internet can be encrypted.
At what point are you actually encrypting the data? If you decide to encrypt, you must be clear about when you need it to be encrypted.
Some examples of the personal data you should encrypt:
- Any personal data that another person can use to steal someone’s identity such as a driver’s license number or a tax ID number.
- Your competitive / confidential business data. Your employees have access to your competitors data. You want to make sure that if employees are leaving to another employer they aren’t able to take client lists with them.
- Customer information. If you have a data breach and the information is not encrypted then there’ll be reputational and trust damage when your customers learn that their personal data was stolen as a result of poor business practices.
- Employee information. Sensitive employee data and that which the GDPR considers special category data, such as health information, can be damaging if it falls into the wrong hands.
- Emails. If you’re sending sensitive information to your customers you should consider encrypting the content of those emails.
If you decide you do want to encrypt the personal data you hold, then you need to decide on an approach to take. That’s for another blog post.
If you don’t want to encrypt your files, you can still use pseudonymisation.