GDPR Data Encryption Requirements
The European Union’s General Data Protection Regulation (GDPR) requires organizations that fall under its scope to secure sensitive data against data breaches defined as the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. To avoid such security incidents, companies are encouraged to implement appropriate technical and organizational measures to ensure personal data is processed securely. The text of the regulation remains vague on the subject of what these measures should be and gives only two specific suggestions: pseudonymization and encryption.
Pseudonymization is the process of replacing personally identifiable information with unique artificial identifiers, so-called pseudonyms, to conceal the data subject it relates to, making the data anonymous in a limited context. While pseudonymized data does come with the risk of data re-identification, the GDPR sets more relaxed standards for it as it is considered less likely to significantly affect data subjects in the event of a data breach. That being said, the implementation of pseudonymization presents greater challenges than its more widespread, cheaper alternative: encryption.
Encryption is one of the most common, inexpensive, and efficient processes companies can incorporate into their cybersecurity strategies to increase data security and facilitate secure communications. Encryption has become a standard tool included in many operating systems and a number of highly effective data protection solutions for both data at rest and in transit.
Encryption is a form of cryptography that translates data from plaintext, namely an easily readable format, into ciphertext, a form that cannot be deciphered without the help of a special key. This essentially means that any unauthorized party cannot access the data without a decryption key, making the data worthless and preserving the rights and freedoms of data subjects.
Encryption in the GDPR
Encryption is not a mandatory requirement under the General Data Protection Regulation. However, it is mentioned four times in the text of the regulation, each time as a recommendation. It first appears in Recital 83, in which it is stated that, in order to maintain security and GDPR compliance, data controllers or processors should evaluate the risks inherent in data processing and implement measures to mitigate those risks, such as encryption.
Encryption then appears in three articles of the GDPR, each time as an example of an effective technical measure. In the context of lawful processing in article 6 under point 4e, the existence of appropriate safeguards, which may include encryption or pseudonymization is one of the things which controllers need to take into account when ascertaining whether processing for another purpose is compatible with the purpose for which the personal data was initially collected.
In article 32 on the security of processing, under point 1a, the law reiterates some of the points made in Recital 83. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risks and severity for the rights and freedoms of natural persons, the controller, and the processor need to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, among other things, the pseudonymization and encryption of personal data.
Encryption makes a final appearance in Article 34 on the communication of a personal data breach to the data subject, under point 3a. The communication to the data subject is not required if the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.
Using encryption for GDPR compliance
While organizations are not obligated under GDPR to encrypt personal data, it is one of only two technical security measures mentioned in the text of the regulation. However, the GDPR’s failure to make encryption mandatory does mean that it offers no clarifications on when encryption should be used and which standards need to be applied to it. Some national data protection authorities such as the United Kingdom’s Information Commissioner’s Office (ICO), have taken matters into their own hands and recommended that encryption solutions meet current standards such as FIPS 140-2 and FIPS 197.
Many encryption solutions that meet these standards already exist as native tools on mobile phones or operating systems, making them one of the easiest steps organizations can take to protect data. Paid-for solutions are also available for more specific issues such as USB encryption.
The use of encryption offers companies not only a good way of ensuring the data privacy of EU citizens but can also help them reduce the administrative burden of personal data breach notifications for data subjects.
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.